April 17, 2024 Cisco Duo, a prominent provider of multifactor authentication (MFA) services, has fallen victim to a cyberattack targeting one of its third-party telephony service providers. Cisco has issued an advisory to customers, alerting them of potential follow-up phishing attempts leveraging the breach.

The incident, which occurred on April 1, involved unauthorized access by threat actors using stolen employee credentials to download SMS logs from the provider’s systems. These logs contained metadata such as phone numbers, carriers, and message times for messages sent in March 2024, though no content from the messages was exposed.

Upon discovery, Cisco Duo informed its customers and advised them to caution any individuals whose data may have been compromised. The company stressed the importance of vigilance against subsequent phishing attacks that may use the stolen information.

This breach underscores a growing pattern of attacks targeting identity security providers. Experts, like Jeff Margolies of Saviynt, point to historical precedents, including incidents involving Okta and Microsoft, as well as the RSA SecurID Token attack in 2011.

The breach highlights the vulnerability within the supply chain of identity security services and the importance of stringent security measures. Margolies emphasizes the need for companies to understand their reliance on such third-party providers and to have robust mitigating controls in place.

In light of the breach, organizations are urged to assess the impact on their cybersecurity posture and implement additional controls to detect and respond to any incidents involving their identity security providers.

The incident with Cisco Duo is a stark reminder of the importance of cyber resilience in an increasingly interconnected digital ecosystem, where the security of one provider can have cascading effects on numerous organizations and users.