Contain: Immediate Countermeasures

• For attacks using your account, where you are a victim of ATO, follow the steps in the ATO - Account Sanitization section.
• For attacks on your account, which typically involve AIT or a smishing/vishing-style attack, follow the steps in the Anomalous Traffic - Control Remediation section.
• In situations where you may be subject to both, prioritize the completion of account sanitization steps before moving on to AIT control remediation.

If you've confirmed an Account Takeover (ATO), begin these containment steps immediately. The goal of this section is to remove unauthorized access and restore account integrity.

As you work through this process, keep the following in mind:

• Complete every step: Each step in this section is required to reactivate your account. Missing a step (such as leaving compromised API keys active or failing to re-promote an Auth Token after reactivation) may lead to a second ATO.
• Account Reactivation: If your account was suspended as part of the response, all required containment steps must be completed before your account can be reactivated.

This phase focuses on short-term containment steps to immediately cut off unauthorized access to your account. Completing these steps helps reduce the immediate risk of further impact.

To further minimize the likelihood of recurring ATOs, it's important to implement longer-term safeguards. After completing the actions in this phase, follow the steps outlined in the Diagnose phase to identify root causes and put preventative measures in place.

For repeat ATO incidents, Twilio may require a completed Root Cause Analysis (RCA) before affected accounts can be reactivated.

The sections below provide step-by-step guidance for performing account sanitation actions in the Twilio Console.

The Auth Token provides administrative-level programmatic access to your entire Twilio account. There is only one Auth Token per account. If your Auth Token is compromised, your entire Twilio account is compromised.

1. Log in to your Twilio Console.
2. On the main Account Dashboard, find the Account Info section.
3. You will see your Account SID and your Auth Token (the token is hidden by default).
4. Towards the bottom of the Account Info section, click the Go to account settings button.
5. If prompted, enter your verification code in the box titled Verification code required for access. Then click Verify.
6. In the left-hand column, under Keys & Credentials, click API keys & tokens.
7. Scroll down to the section called Auth Tokens. In the box called Live credentials, click Request a secondary token.
8. In the pop-up box, click Request token.
9. Your new Auth Token will be displayed as Secondary token. Copy this new token immediately and store it securely (like in a password manager).
10. Update and test all your applications and scripts with this new secondary Auth Token.
11. When testing is complete with the new token, promote your secondary token to primary by clicking Promote to primary.
12. A prompt will display, stating that promoting the secondary token to primary will delete the existing primary token and that all future API calls using this token will fail. Check I acknowledge the impact of this action and then click Promote token.
13. (Optional) If you have subaccounts that were impacted, you will need to rotate their Auth Tokens as well. In the top-left corner, click the Account Selection dropdown (it usually shows your current account name).
14. Click View Subaccounts. You will see a table listing all your subaccounts.
15. Under Account Name, click on the account for which you would like to rotate its Auth Token.
16. Follow steps 2-12 to rotate the Auth Token. To switch to another account in your organization, follow steps 13-15.

If you need to rotate Auth Tokens programmatically, use the Twilio API to create, delete, and promote secondary Auth Tokens for one or more accounts/subaccounts. Extend these API calls into a script that can rotate secrets across many accounts at once and much faster than what can be done via the Twilio Console.

API Keys are a more secure way to grant programmatic access to your account, as their permissions can be scoped down appropriately. The following is how to remove an API key that may be compromised. You will not be able to create new API keys while your account is under ATO suspension.

1. Log in to your Twilio Console.
2. On the main Account Dashboard, find the Account Info section.
3. You will see your Account SID and your Auth Token (the token is hidden by default).
4. At the bottom of the Account Info section, click Go to API Keys.
5. You will see a list of your existing API Keys.
6. Find the API Key you want to delete (you can identify it by its Friendly Name or SID).
7. Click on the Friendly Name or SID of the key to open its details.
8. At the bottom of the page, click the red Delete this API Key button.
9. A confirmation pop-up will appear. Click Delete this API key to confirm deletion.

In the case of an ATO, follow this procedure for all API keys in the affected account(s). To accelerate this process, you can also rotate API keys programmatically by using the Twilio API to create and delete API keys for one or more accounts/subaccounts.

This adds an extra layer of security to your console login by enforcing a verification code as a second factor. If this is in place already, move on to step 4.

1. Log in to your Twilio Console.
2. In the top-right corner, click on your profile icon/name.
3. Select User Settings from the dropdown menu.
4. On the User Settings page, find the Two-Factor Authentication (2FA) section.
5. Click Set up 2FA.
6. Choose your verification method:
   • Authenticator App (Recommended): Use an app like Google Authenticator or Authy. You'll scan a QR code with your phone.
   • SMS: Receive a verification code via text message.
7. Follow the on-screen prompts to scan the QR code with your phone or enter your phone number.
8. Enter the 6-digit code provided by your app or SMS to verify.
9. Important: Twilio will provide you with backup codes. Save these codes somewhere safe (like a password manager). If you lose access to your 2FA device, these codes will be your only way to log in.
10. 2FA is now active. The next time you log in, you will be prompted for your password and a code from your chosen 2FA method.

If you haven't already, follow the instructions here for how to check whether any credentials have been exposed on GitHub. If your review indicates that your credentials were publicly exposed, follow the steps below to make the affected GitHub repository private and ensure it's no longer publicly accessible.

1. Navigate to the main page of the repository you want to make private on GitHub.com.
2. On the repository's main page, click the Settings tab near the top of the page.
3. Scroll down to the bottom of the General settings page to the red Danger Zone section.
4. In the Danger Zone section, find the Change repository visibility option and click the Change visibility button.
5. A drop-down option will appear. Select Change to private.
6. A popup will appear. Confirm the name of your repository and click I want to make this repository private.
7. Another popup will appear. Review the list of effects. Click the I have read and understand these effects button.
8. Review the final warning and confirm your choice by clicking Make this repository private.
9. Go back to your main GitHub profile page by clicking your profile icon in the top-right and selecting Repositories. Find the repository in your list. It will now have a Private label (vs. Public) next to its name.

For the latest and most authoritative source information on setting repository visibility, review the following public docs:

• GitHub - Setting repository visibility
• Azure Repos
• Bitbucket Cloud
• AWS CodeCommit

If you've confirmed you are subject to activity such as AIT or vishing/smishing, begin these containment steps immediately. The goal is to prevent further fraudulent calls and messages by cutting off all abuse of your services. This includes blocking threat actors from using features like OTP verification services or promo forms to generate unwanted voice calls or texts to suspicious numbers.

Twilio can prevent your application from dialing a premium rate number at the network level if the country is disabled.

1. Log in to your Twilio Console.
2. For Programmable Voice:
   • On the left-hand side, navigate to Voice > Settings > Geo permissions.
3. For Programmable SMS:
   • On the left-hand side, navigate to Messaging > Settings > Geo permissions.
4. Uncheck all countries in which you do not do business, and ensure only the specific countries you serve are checked. You may also want to verify that common fraud destinations (Latvia, Lithuania, Maldives, Somalia, Sierra Leone, etc.) are unchecked.
5. For Verify for SMS and Voice channels (if you are using Twilio Verify):
   • On the left-hand side, navigate to Verify > Settings > Geo permissions.
   • You can choose to disable all traffic, allow all traffic, or monitor all traffic for blocking fraud (SMS only). Apply to individual countries or all countries within a continent.
6. Click Save geographic permissions when you are finished making your changes.

Your application should now receive an error when it tries to reach numbers being used by the threat actor and you will stop paying for these calls and/or messages.

If you are using Twilio Verify to support OTP, enable Fraud Guard to automatically detect and block abnormal traffic patterns to high-risk destinations:

1. Log in to your Twilio Console.
2. On the left-hand side, navigate to Verify > Services.
3. Select the affected Verify service.
4. Click the SMS & RCS tab and in the Fraud Guard section, click Standard Protection or Max Protection.
5. Click Save.

If you built your own 2FA with OTP using Programmable SMS:

1. Log in to your Twilio Console.
2. On the left-hand side, navigate to Messaging > Settings > General.
3. Under SMS Pumping Protection, select Enabled and click Save.

By enabling SMS Pumping Protection, Twilio will automatically monitor and block fraudulent SMS pumping attempts on your account. For the US and Canada, SMS Pumping Protection is provided at no additional cost, therefore you may not find a line item in the Features section of their SMS Pricing pages.

If a specific subaccount in your organization is the one being impacted (and Twilio did not suspend the account on your behalf), follow this section to temporarily suspend all activity in that account without closing it.

1. Log in to the Twilio Console.
2. In the top-left corner, click the Account Selection dropdown (it usually shows your current account name).
3. Click View Subaccounts. You will see a table listing all your subaccounts.
4. Locate the subaccount under the Account Name column. The Account SID (starting with AC...) will be listed in the column next to it. Copy the Account SID.
5. Open a terminal window and enter the following command (replacing <SUBACCOUNT_SID_HERE> with the copied Account SID from step 4):

twilio api:core:accounts:update --sid <SUBACCOUNT_SID_HERE> --status suspended

The status indicator next to the subaccount should now be orange/red and read Suspended. All API calls using that subaccount's credentials will now fail with a 401 Unauthorized response. If you would like to reactivate your account after the investigation has concluded, enter the following:

twilio api:core:accounts:update --sid <SUBACCOUNT_SID_HERE> --status active

This section mainly details short-term containment, with the goal being to cut off threat actor access as soon as possible. For guidance on mid- and long-term containment and remediation, refer to the section Define Preventive and Corrective Actions in the Diagnose phase.