Cisco Duo Warns Third-Party Data Breach Exposed SMS MFA Logs

Cisco Duo recently sent out a notice warning that some of their customer’s VoIP and SMS logs for multi-factor authentication messages were stolen by hackers in a cyberattack on the vendor’s telephony providers. According to Cisco Duo, an unnamed provider who handles the company’s SMS and VOIP multi-factor authentication messages was compromised on April 1, 2024. In this case, the actor was able to obtain employee credentials via a phishing attack which were then used to gain access to the telephony provider’s systems. Using this access the actor was observed downloading message logs for SMS messages that were sent to certain users between March 1, 2024, and March 31, 2024. These messages allegedly contained the phone number, phone carrier, country, and state to which each message was sent, as well as other metadata (e.g., date and time of the message, type of message, etc.).

Security Officer Comments:
According to Cisco Duo, the actor did not use their access to the provider’s internal systems to send any messages to any of the numbers contained in the message logs. Upon discovering the incident, the provider immediately commenced an investigation and implemented mitigation measures, including immediately invalidating the employee’s credentials, analyzing activity logs, and notifying Cisco of the incident.

Suggested Corrections:
In total, this incident is believed to have impacted 1,000 people. Given that the messages contained data such as phone numbers, we could see follow-up social engineering and SMS phishing attacks. Impacted individuals should be on the lookout for targeted SMS text messages and voice calls.