Leaked Twilio credentials — SMS fraud at scale

A Twilio Auth Token grants full access to your Twilio account: sending SMS, placing voice calls, purchasing numbers, and accessing call metadata. SMS fraud is the standard attacker workflow — international premium rates burn budget in hours.

The next 60 seconds matter

The attacker sends bulk SMS to premium international numbers they control, earning a cut on each message. A compromised Twilio account can burn ten thousand dollars in under 12 hours.

  • Send SMS to attacker-owned premium numbers (toll fraud)
  • Purchase phone numbers and provision them to attacker resources
  • Read your customer SMS history
  • Send phishing SMS from your phone number to your users

Rotation playbook

  1. console.twilio.com → Account → API keys & tokens → Regenerate auth token
  2. Contact Twilio support immediately to flag the account + request fraud review
  3. Disable international SMS if not essential
  4. Switch to API Keys (separately rotatable) instead of the account-level auth token

Prevent the next one

  • Use Twilio API Keys (not Account Auth Token) for application code
  • Enable geo-permissions to restrict SMS to specific countries
  • Set a low spending limit on the account
  • Never embed Twilio credentials client-side
Pattern we scan for
AC{32 hex chars} (Account SID) + 32-char auth token