The security team at Cisco Duo on Monday reported a cyberattack on its telephony provider. According to the Cisco Data Privacy and Incident Response Team, hackers stole VoIP and SMS logs used for multi-factor authentication (MFA) messages from some customers.
The company announced the attack in a customer notice, stating that the breach exposed phone numbers, phone carriers, metadata, and other logs.
The notice details how a threat actor acquired employee credentials via a phishing attack, then used those credentials to access the telephony provider’s systems. The intruder subsequently downloaded SMS and VoIP MFA message logs linked to specific Duo accounts.
“More specifically, the threat actor downloaded message logs for SMS messages that were sent to certain users under your Duo account between March 1, 2024, and March 31, 2024. The message logs did not contain any message content but did contain the phone number, phone carrier, country, and state to which each message was sent, as well as other metadata (e.g., date and time of the message, type of message, etc.),” the notice reads.
Cisco said the hacked telephony provider reported that the threat actor did not download or access the content of any messages, nor did they use their access to send messages to any of the numbers in the message logs.
Cisco added that customers with affected Duo accounts can request copies of the stolen message logs. It also warned users about potential attacks that may stem from the hack.
“Because the threat actor obtained access to the message logs through a successful social engineering attack on the Provider, please contact your customers with affected users whose phone numbers were contained in the message logs to notify them, without undue delay, of this event and to advise them to be vigilant and report any suspected social engineering attacks to the relevant incident response team or other designated point of contact for such matters, Cisco said.
Cisco is yet to reveal the name of the affected telephony supplier or the number of customers impacted by this incident.