Cisco Duo Breach

Date: April, 2024

Cisco Duo is an access security provider that offers solutions for small business and commercial control products, including multi-factor authentication (MFA), single sign-on, and access control services. Duo serves over 100k customers globally and hosts over a billion monthly authentications. Duo can serve so many consumers due to their use of third-party suppliers; one of those suppliers, which oversees Duo’s MFA via SMS messages and VOIP, has reported a security incident.

What Was the Breach?

  • Phone Number and Mobile Service Carrier
  • Location Data (Sent From and Destination)
  • Date and Time of Sent Message
  • Message Type (Not Content)

How Did the Breach Occur?

According to the statement published by Duo, the third-party supplier had a system breach following the theft of employee credentials following a phishing attack. The credentials allowed the malicious actor to download message logs and metadata from March 1st, 2024, to March 31st, 2024. The downloaded logs did not contain message content, but the threat actor could use the accessed information to inform further phishing opportunities.

When Did This Breach Occur?

Duo’s statement suggests that the unauthorized party accessed the supplier’s systems around April 1st, 2024. The release does not indicate when or how officials learned of the activity. After learning of the incident, the supplier immediately invalidated the compromised credentials and notified Duo.

Who Does the Breach Impact?

The statement suggests the breach may impact the employees of organizations working with Duo’s MFA and VOIP services. However, a representative spoke with BleepingComputer around April 16th, suggesting that the event may impact 1% of Duo’s clients; that equates to the exposure of around 1,000 employee details.

How Many Files Does the Breach Affect?

It is not yet clear how many files this event may impact. The representative who spoke with BleepingComputer has suggested 1,000 cases; however, there may be more exposures if the threat actor attempts to use the stolen information to breach other systems. Consequently, although the supplier has already invalidated the exposed credentials, now is the time for impacted individuals and organizations to enable higher securities.

Recent Breaches

Free Identity Exposure Scan
Free Identity Exposure Scan
Instantly and Securely Check if Your Personal Information is Exposed on the Dark Web or Sold by Data Brokers
Please enter first name
Please enter last name
Please select a state
Free Identity Threat Scan
Instantly Check if Your Personal Information is Exposed
All fields below are required
Please enter first name
Please enter last name
Please enter a city
Please select a state
Please enter an age
Please enter an email address