Twilio’s Response to the Recent Codecov Vulnerability

Twilio has experienced a security incident due to the recently disclosed Codecov vulnerability, where an attacker modified the Bash Uploader component, potentially exposing sensitive information stored in continuous integration environments. Twilio was notified of the event by Codecov and immediately began its security incident response process, identifying and rotating exposed credentials, notifying affected individuals privately, and conducting thorough investigations to validate the impact of the exposure. To prevent similar issues in the future, Twilio has a robust third-party security team that evaluates its technology supply chain, an active internal service called Deadshot that scans GitHub pull requests for secrets and insecure coding practices, and tooling for Static Application Security Testing to identify security issues and vulnerabilities in code. Despite the incident, Twilio has no indication of any further customer data breaches or issues with product availability or functionality.