Skip to content

Cisco Duo’s SMS MFA logs exposed in third-party data breach

  • by
  • 3 min read

Threat actors have gained access to the Cisco Duo telephony supplier’s server and managed to obtain Voice over Internet Protocol (VoIP) and SMS message logs of multi-factor authentication (MFA) messages covering the period from March 1, 2024, to March 31, 2024.

These logs contained detailed information such as phone numbers, carriers, geographical information, and metadata (date, time, and type of message), excluding the actual message content.

To gain access to the server, threat actors used the credentials of one of the employees of the Duo telephony suppliers, who had gained them via a phishing attack. After gaining access, they downloaded the message logs for the company’s SMS messages to certain users in March.

As per the telephony supplier, hackers did not misuse this data to access or manipulate message contents or engage in further unauthorised activities.

” The Provider confirmed that the threat actor did not download or otherwise access the content of any messages or use their access to the Provider’s internal systems to send any messages to any of the numbers contained in the message logs,” noted Cisco in a notice sent to customers.

In response to the breach, the supplier took decisive decisions. They invalidated the compromised credentials, launched a thorough investigation into the incident, and immediately informed Cisco’s Data Privacy and Incident Response Team.

What is phishing? Types of phishing scams and how to protect yourself?
Threat actors used phishing tactics to gain employee credentials and used it to gain unlawful entry into the server.

Additionally, measures were implemented by the supplier to enhance employee awareness regarding social engineering tactics, alongside the deployment of robust technical safeguards to mitigate potential risks associated with similar attacks in the future.

The supplier provided Cisco with the message logs. For customers impacted by this breach, the company has established proactive communication channels. They can request their message logs at

The company has recommended that customers inform individuals whose phone numbers were exposed in the breach of the situation. They should also educate themselves and others about social engineering attacks and report any suspicious activity to the authorities.

“Please contact your customers with affected users whose phone numbers were contained in the message logs to notify them, without undue delay, of this event and to advise them to be vigilant and report any suspected social engineering attacks to the relevant incident response team or other designated point of contact for such matters. Please also consider educating your users on the risks posed by social engineering attacks and investigating any suspicious activity,” recommended Cisco.

Cybercriminals have always relied on phishing as a popular method to obtain credentials. On April 9 2024, it was reported that threat actors were phishing iva ScrupCrypt tool to deploy VenomRAT. Just a few days before that, on April 4, Agent Tesla phishing campaigns were discovered.

In March, Darcula phishing campaign was exposed by the investigators. Finally, in January, another threat actor, the GXC Team was found using AI-powered phishing tools.

In the News: Meta temporarily shuts down Threads in Turkiye

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: