Cisco Duo Security Breach: Third-Party Vendor Compromised, Exposing MFA SMS and VOIP Data
Table of Contents
- Introduction
- Details of the Breach
- Impact on the CIA Triad
- Recommendations for Improved Security
- Final Thoughts
Introduction
On April 1, 2024, Duo by Cisco notified its customers about a significant security breach involving a third-party vendor responsible for handling SMS and VOIP multi-factor authentication (MFA) messages. The compromise occurred through an unnamed service provider, whose internal systems were accessed by threat actors using credentials obtained via a phishing attack. Cisco Duo did not disclose the identity of the telephone provider used for sending MFA messages. The breach involved accessing a series of MFA SMS messages containing sensitive Personally Identifiable Information (PII) such as contact numbers, phone carriers, citizenship status, states, and metadata including the date and time of message generation. However, the breached data did not include the content of the messages or any unauthorized message transmissions.