Cisco: Hacker breached multifactor authentication message provider on April 1

Cisco said one of the providers it uses to send multifactor authentication (MFA) messages was breached by a threat actor on April 1. 

In emails to customers, Cisco said the incident specifically affected Duo — a multifactor authentication company it acquired in 2018. The attacker breached the system of a telephony supplier that Duo uses to send MFA messages through texts and phone calls to its customers.

The emails do not say which provider was attacked but explains that Cisco is working with it to investigate the incident. 

“It is our understanding from the Provider that a threat actor gained access to the Provider’s internal systems, on April 1, 2024, using a Provider employee’s credentials that the threat actor illicitly obtained through a phishing attack and used that access to download a set of MFA SMS message logs pertaining to your Duo account,” Cisco’s Data Privacy and Incident Response Team explained. 

“More specifically, the threat actor downloaded message logs for SMS messages that were sent to certain users under your Duo account between March 1, 2024 and March 31, 2024.” 

The logs did not contain any content but did have phone numbers, carriers, countries and the states where the messages were sent as well as other metadata. 

The hacker behind the incident did not download any of the contents of the messages or use their access to the company’s system to send any messages, Cisco said. 

Once the incident was discovered, the unnamed company canceled the employee’s credentials and analyzed activity logs before notifying Cisco. 

Cisco was provided with a copy of the message logs and customers will be given a copy of the logs if they ask for it. Duo and Cisco did not respond to requests for comment about how many people were affected and which provider was attacked. 

Duo has more than 40,000 customers and offers its services to state and federal government agencies  as well as school districts and universities. Some of its more high-profile customers include Lyft, Yelp, Box and AmeriGas. 

Saviynt’s Jeff Margolies and several other cybersecurity experts warned that the incident was yet another example of threat actors targeting key parts of the security architecture and taking advantage of third or fourth party providers to disrupt the services of major companies.