These scammers must be either swapping out the numbers regularly, using one time verified numbers or they have some holes in twilio that are getting around this.

Would seem that most patterns for detecting this would be pretty obvious, twilio is just letting it slide probably for that revenue. Now that they got an FCC hit, revenue is threatened, and they will have to close the hole or stop allowing these patterns.

There might be a reason to constantly swap out numbers, but not many... Those should be highly looked at like when you make an app and have background geolocation services on, Apple really prods you to make sure you aren't abusing that. Twilio just seems to let this slide.

The fact that they have these plausible deniability policies that are letting scammers slide, probably due to more political spam demand, is another reason to not trust them for SMS/Authenticator authentication codes over Twilio SMS or Authy app.

There was a big Authy hack not too long ago.

Twilio and Authy also hacked recently. This also affected Okta/Auth0 and companies that rely on those dependencies like DoorDash.

Anyone still using Authy over Google Authenticator or Microsoft Authenticator is not doing good opsec. Twilio has always been sketch. This breach is damaging.

> U.S. messaging giant Twilio has confirmed hackers also compromised the accounts of some Authy users as part of a wider breach of Twilio’s systems. Authy is Twilio’s two-factor authentication (2FA) app it acquired in 2015.

> Twilio’s breach earlier this month, which saw malicious actors accessing the data of more than 100 Twilio customers after successfully phishing multiple employees, keeps growing in scale. Researchers this week linked the attack on Twilio and others to a wider phishing campaign by a hacking group dubbed “0ktapus,” which has stolen close to 10,000 employee credentials from at least 130 organizations since March.

> Now, Twilio has confirmed that Authy users were also impacted by the breach.

> In an update to its incident report on August 24, Twilio said that the hackers gained access to the accounts of 93 individual Authy users and registered additional devices, effectively allowing the attackers to generate login codes for any connected 2FA-enabled account.

> The company said it has “since identified and removed unauthorized devices from these Authy accounts” and is advising affected Authy users, which it has contacted, to review linked accounts for suspicious activity. It’s also recommending that users review all devices tied to their Authy accounts and disable “allow Multi-device” in the Authy application to prevent new device additions.

Okta breached as a result of the Twilio/Authy breach

> Identity giant Okta on Thursday also confirmed it was compromised as a result of the Twilio breach. The company said in a blog post that the hackers — which it refers to as “Scatter Swine” — spoofed Okta login pages to target organizations that rely on the company’s single sign-on service. Okta said that when the hackers gained access to Twilio’s internal console, they obtained a “small number” of Okta customer phone numbers and SMS messages that contained one-time passwords. This marks the second time Okta has reported a security incident this year.

> In its analysis of the phishing campaign, Okta said that Scatter Swine hackers likely harvested mobile phone numbers from data aggregation services that link phone numbers to employees at specific organizations. At least one of the hackers called targeted employees impersonating IT support, noting that the hacker’s accent “appears to be North American.” This may align with this week’s Group-IB investigation, which suggested one of the hackers involved in the campaign may reside in North Carolina.

DoorDash also caught up in it

> DoorDash also confirmed this week that it was compromised by the same hacking group. The food delivery giant told TechCrunch that malicious hackers stole credentials from employees of a third-party vendor that were then used to gain access to some of DoorDash’s internal tools. The company declined to name the third-party, but confirmed the vendor was not Twilio.