Third-party breach hits MFA authenticator Cisco Duo


Cisco Duo has warned customers that a threat actor gained access to its vendor systems and obtained a set of MFA SMS logs pertaining to customer accounts.

The company did not disclose the name of the breached telephony provider Duo uses to “send multifactor authentication (MFA) messages via SMS and VOIP to its customers.”

Yet, they stated that the threat actor “gained access to the Provider’s internal systems on April 1st, 2024, using a Provider employee’s credentials that the threat actor illicitly obtained through a phishing attack,” the notification email reads.

ADVERTISEMENT

These credentials were then used to access and download a set of multi-factor authentication (MFA) SMS messages from certain Duo accounts.

While the logs didn’t contain “any message content,” they did contain some sensitive information.

This information includes:

  • Phone numbers
  • Phone carriers
  • Countries
  • States
  • Other metadata (dates and time of the message and types of messages)

The notification letter claims that “The Provider” confirmed that the threat actor didn’t download or access any messages or exploit their access to internal systems to send any messages to the affected phone numbers.

Upon discovery, the third-party vendor began investigating the incident and “implemented mitigation measures,” which included “invalidating the employee's credentials, analyzing activity logs, and notifying Cisco of the incident.”

Cisco Duo’s vendor has provided the company with copies of the message logs relevant to affected Duo accounts obtained by the threat actor. Affected individuals can receive copies of these logs, the company said.

Cisco Duo is a two-factor authentication solution company that allows organizations to access company networks and applications securely.

ADVERTISEMENT

As Cisco Duo is a service used by corporations, the notice urges their clients to “contact (your) customers with affected users whose phone numbers were contained in the message logs.”

The company urges those affected by the breach to remain vigilant and report “suspected social engineering attacks to the relevant incident response team or designated point of contact.”

Cisco Duo claims to serve 100,000 customers globally and manages 1 billion monthly authentication users.