Credential stuffing involves sourcing lists of previously compromised credentials that are traded and used by bad actors on the internet, to gain access to a given site or application. When a site is compromised, and credentials stolen, they're often tested against other sites and applications because people often use the same email and password combination to log into multiple sites.
Although available features may vary by subscription, and also what individuals have chosen to set up on their account, careful attention should be paid to the following pages to identify unauthorized activity including:
Unified login users should review activity data in the Twilio Account interface, which now includes SendGrid access.
This can vary by account. We suggest you review all the emails sent from your account over the past 30 days and scrutinize any subject lines that you don't immediately recognize.
If you are using IP access management, you have taken extra precautions which would've prevented the attackers from accessing your account. IP access management effectively locks them out and prevents this kind of account takeover.
IP access management settings can be managed through the unified Twilio Account interface, and it effectively secures both Twilio and SendGrid services.
In some cases the attackers used the account credentials to gain access to the account and then created a new API key to allow them to gain access to the account's functionality and send email. In these cases we have taken the additional step of invalidating some recently created API keys to revoke sending access to the attackers. You can check your API Key status by visiting the API Key page in your account.
Our team conducted a thorough investigation of the IP addresses accessing accounts and identified the IPs of bad actors accessing multiple accounts of which your account was one of them.
If you are unable to generate an account reset email, please contact our support team for further assistance.
It was important to reset the account passwords as soon as possible without alerting the bad actors. We've coordinated the timing of the notification with the reset to avoid alerting the bad actors.
Any services which use basic authentication, including access to the UI and API calls will be disrupted.
In addition to 2FA we suggest all users take advantage of IP access management to lock down the IP addresses that can access a given account. If account owners work with a team of people we recommend the use of Teammates to restrict access and give the account admin greater flexibility to structure how their colleagues can or can not access the account.