Twilio response to Voxox data breach

Summary

On Friday, November 16, 2018, Twilio became aware of an incident regarding Voxox, a wholesale SMS provider, in which an unsecured database was accessible to the internet and exposed details of SMS messages and the companies that sent them. Media articles report that many of these SMS messages contained sensitive information such as authentication passcodes and delivery tracking numbers linking to unauthenticated details on the web. The vulnerability was uncovered by security researcher Sébastien Kaul.

Trust is a top priority for Twilio. We take issues like this very seriously and quickly sought to understand the impact of this incident for Twilio’s customers. This blog post details our findings and will be updated if any new information comes to light.

Actions Taken

Upon learning of this incident, Twilio triggered our incident response process to examine whether or not this wholesale SMS provider, Voxox, was in use by the Twilio API and if so, determine the impact to our customers.

We can confirm from our investigation that the Twilio API has no direct connection to Voxox and, to the best of our knowledge, no messages submitted via the Twilio API were routed through Voxox.

It is worth noting that, due to the nature of downstream SMS routing through other SMS partners, we cannot guarantee that any Twilio customers’ SMS messages did not at some point traverse the Voxox service. An SMS message, once sent from Twilio, may in some cases travel over several SMS networks before being delivered to the recipient. So while messages submitted via the Twilio API were not routed directly by Twilio to Voxox, we have no visibility into the additional hops that an SMS message may travel.

Conclusion

Twilio considers trust a top company priority. We invest significant effort in ensuring our infrastructure and the services provided by our SMS vendors are secure and reliable.

This notice is part of our commitment to transparency. As a company which provides APIs used by our customers to protect their own business, we take issues like this seriously. If you have any questions or concerns about this incident, the security of your user data or your account, please contact us at help@twilio.com or open a support ticket.