Skip to content

Twilio Master Secret

Service Name: Twilio

Service Description: Twilio is a cloud communications platform that enables developers to build SMS, voice, and messaging applications using web service APIs.

Service Address: https://www.twilio.com/

Validation Type: API Auth

IP Allow list: Does not exist

Secret Access Scope: Grants full administrative access to a Twilio account, including the ability to manage all services, make API calls, and access sensitive account information.

Secret Revokement URL: https://www.twilio.com/console/project/api-keys

Secret Example: 0123456789abcdef0123456789abcdef

Suspicious Activity Investigation Instructions:

  • Review Twilio Console logs for unauthorized API calls or unusual activity
  • Check for unexpected changes to messaging services, phone numbers, or account settings
  • Verify if there are any new API keys or credentials that were created without authorization
  • Monitor for unexpected charges or usage spikes in your Twilio account
  • Review IP access logs for connections from unfamiliar locations

Mitigation Instructions:

  • Immediately revoke the compromised master secret through the Twilio Console
  • Generate a new master secret if needed
  • Update all applications and services to use the new credentials
  • Consider implementing IP restrictions for API access
  • Enable two-factor authentication for your Twilio account
  • Review and update access permissions for all team members
  • Implement proper secret management practices using environment variables or a secrets manager