Industry - Data Breach
Executive Summary
Tyler Robert Buchanan, a 24-year-old British member of the cybercrime group Scattered Spider, pleaded guilty to wire fraud conspiracy and aggravated identity theft for his role in 2022 SMS phishing attacks targeting major technology companies including Twilio, LastPass, DoorDash, and Mailchimp. The attacks compromised tens of thousands of users and enabled the group to steal at least $8 million in cryptocurrency through SIM-swapping, where attackers hijack victims' phone numbers to intercept ...
What Happened
Tyler Robert Buchanan, a 24-year-old British member of the cybercrime group Scattered Spider, pleaded guilty to wire fraud conspiracy and aggravated identity theft in connection with SMS phishing attacks conducted in summer 2022. The attacks targeted major technology companies including Twilio, LastPass, DoorDash, and Mailchimp, compromising their systems through tens of thousands of phishing messages that impersonated employees to deceive IT help desks. Using data stolen from these breaches, Buchanan and his co-conspirators executed SIM-swapping attacks that transferred victims' phone numbers to attacker-controlled devices, allowing them to intercept authentication codes and steal at least $8 million in cryptocurrency from individual investors.
Who Is Affected
Tens of thousands of users of the breached technology platforms were directly affected when their personal data was compromised in the initial phishing attacks. Individual cryptocurrency investors across the United States suffered direct financial losses totaling at least $8 million through subsequent SIM-swapping attacks that hijacked their phone numbers and drained their digital wallets. The attacks also impacted the breached companies themselves, including Twilio, LastPass, DoorDash, and Mailchimp, which had their security systems compromised and customer data stolen.
Why It Matters
This case demonstrates how a single coordinated cybercrime operation can cascade across multiple major technology platforms to affect tens of thousands of users and result in millions of dollars in theft. The successful use of social engineering tactics to bypass corporate security measures at well-established technology companies highlights persistent vulnerabilities in help desk verification processes and SMS-based authentication systems. The substantial financial losses and widespread data compromise underscore the inadequacy of phone-number-based security for protecting high-value accounts like cryptocurrency wallets.
What You Should Do
If you had accounts with Twilio, LastPass, DoorDash, or Mailchimp in 2022, change your passwords immediately and review your account activity for any unauthorized access or changes. Disable SMS-based two-factor authentication on all accounts, especially cryptocurrency wallets and financial accounts, and switch to authentication apps or hardware security keys that cannot be intercepted through SIM-swapping. Contact your mobile carrier to place additional security protections on your account to prevent unauthorized SIM card changes, and monitor your phone service for any unexpected loss of signal that could indicate an active SIM-swap attack.
Summary generated from verified sources and reviewed before publication. How we summarize.