Example: RCA Summary Request Form

What happened? What exact dates did the fraudulent activity start and end? When did you discover it?

On February 2, 2026, we were notified by Twilio Support that our account had been compromised. An unauthorized party created new numbers and initiated a massive volume of outbound calls within seconds of each other. The fraudulent activity began and ended on February 2, 2026. We discovered the breach the same day, immediately upon receiving the alert from Twilio, and initiated an investigation at approximately 10:05 AM EST.

How did it happen?

Our investigation revealed that attackers gained access to our entire code repository by fetching the publicly exposed .git folder via HTTP. Because the directory resided under our webroot, a misconfigured web server allowed any visitor to download Git metadata and reconstruct the repository history. Inside this history, we found legacy scripts containing our Twilio Account SID and Auth Token in plain text. This exposure allowed the attacker to use the Twilio API to provision numbers and place calls programmatically without needing to access our Twilio Console or SSH into our virtual machines.

What measures have you taken to fix the problem?

Upon confirming the source of the leak, we took the following immediate actions:

• Credential Rotation: Revoked the compromised Auth Token and generated new credentials.
• Immediate Lockdown: Configured Nginx to explicitly deny all requests to the /.git directory, returning a 403 Forbidden error.
• Code Refactoring: Migrated all Twilio credentials out of the source code. We removed every hard-coded SID/Auth Token and refactored our PHP scripts to load credentials from a secured .env file.
• Asset Cleanup: Deleted the unauthorized numbers to stop further fraudulent traffic.
• Sanitation: Completed all sanitation steps recommended by Twilio.

What measures have you taken to stop the activity and prevent it in the future?

To ensure this vulnerability does not recur, we have implemented the following permanent safeguards:

• Prohibited the use of hard-coded credentials in all development policies.
• Standardized the use of environment variables for all sensitive API keys.
• Implemented secret scanning tools in our CI/CD pipeline to detect and block any commits containing high-entropy strings or known API key formats.

• Applied a global server-level rule to block access to all hidden files and directories.
• Updated deployment scripts to ensure that .git metadata is excluded from production builds entirely.

• Enabled Twilio Usage Triggers to alert our team automatically if account spending exceeds a set daily threshold.
• Updated our .gitignore templates to ensure sensitive configuration files are never tracked in version control.