Twilio believes that the security of our products and our customers’ data is of paramount importance and when an incident occurs that might threaten that security, we tell you about it. To that end, we wanted to provide an overview of the impact we experienced from the recently disclosed Codecov vulnerability and how we managed that event.
On April 15, 2021, Codecov publicly disclosed a security event where an attacker modified the Bash Uploader component which enabled the attacker to potentially export information stored in continuous integration (CI) environments. Twilio was notified of the event by Codecov and immediately began our security incident response process. We have Codecov tools, including the Bash Uploader component, in use in a small number of our projects and CI pipelines. These projects and CI pipelines are not in the critical path to providing updates or functionality to our communication APIs.
Our subsequent …
Security threats come in from all angles, and keeping track of them all is a constant challenge.
There are many links that attackers can target in the communication chain — the link between you and your network, your passwords and tokens, and other sensitive places and information. If your Twilio account is compromised, it can result in massive fraudulent charges, blocked phone numbers, loss of customer trust, and more.
Here are seven best-practices you can follow to keep your Twilio account — or any account — safer.
Keep your passphrases strong
First and foremost, use strong passphrases.
What does that mean these days? It turns out that a jumble of hard-to-remember characters is not as effective as a longer but easier to remember password. That’s why Twilio requires at least 14 characters but has no “special character” requirements.
It should go without saying: don’t share your passwords and don’t …
Over the past couple months, Twilio has been testing additional safeguards and checks around SSL certificate validation. During the week of October 12th 2015, we deployed a change to our HTTP proxies to validate SSL certificates. This feature is enabled by default for all new accounts. We have deployed a change to our Account Portal so developers can choose to enable this validation.
What is the purpose of this safeguard?
The purpose of the certificate validation process is to prevent Man-in-the-Middle attacks on HTTPS connections.
How does this safeguard impact me?
This change impacts customers who use HTTPS endpoints to receive requests from Twilio. If certificate validation is enabled and you are using a self-signed, expired, mis-matched domain or a certificate not issued by a trusted-certificate authority*, HTTP requests to your application from Twilio will fail, which will result in a error notification. Error notifications are available …