I've now had two separate Twilio account suspended due to account takeovers from Bangladesh. The only place where the tokens for these phone numbers was entered is VAPI. To note, I have other subaccounts in the same master accounts that are not in VAPI and were not attacked. Only the ones where I entered the token in the VAPI UI. I am concerned that this is a security incident on your side. https://cdn.discordapp.com/attachments/1330369510485528757/1330369510649368648/Screen_Shot_2025-01-18_at_5.47.30_PM.png?ex=678dbaa8&is=678c6928&hm=209d6f41ca5b56868bb79c2bc8544e2e4447fc535375f3c7d58a1605acae24e3&

@Marcos Polanco I'm really sorry to hear about the issues you've been experiencing with your Twilio accounts. Security is a top priority for us, and we take concerns like yours very seriously. I assure you that we will investigate this matter thoroughly to understand what might have happened and ensure the integrity of our systems. To proceed with the investigation, could you please provide any additional details or patterns you've noticed related to the account takeovers? This information will be crucial for our security team to track down the issue. In the meantime, I recommend changing your Twilio Auth Tokens and ensuring that your credentials are secure. If you haven't already, enabling two-factor authentication on your Twilio accounts can also add an extra layer of security. Please let us know if there's anything specific you would like us to do to assist you further. If you need immediate assistance or have sensitive information to share, it might be best to reach out to our support team directly.

What are the next steps here

@Marcos Polanco There is no security concern on our side. You might have mistakenly leaked your credentials or gotten compromised. Nothing from our side indicates otherwise - if there was a security issue, it would have been visbile on the Discord server by now. You can try contacting the Twilio support team about the leaked credentials and other information - they can help you get them taken down.

I notice that the VAPI API reveals the Twilio auth token in the phone number queries. I suspect that this was the vector. It is the first time that I observe an API returning secrets as part of its functioning. What's the motivation for having this functionality?

@Marcos Polanco just wanted to confirm your talking about the phone-numbers page over the dashboard? Something like this https://dashboard.vapi.ai/phone-numbers/:phonenumberId

@Shubham Bajaj I am referring to the information entered through the dashboard UI, that is then retrievable via the API. This is the first time I encounter an API that retrieves secrets of third party services. It turns you into an attack vector for Twilio. https://cdn.discordapp.com/attachments/1330369510485528757/1331756479849697320/image.png?ex=6792c65f&is=679174df&hm=06e0b690cb2efd09e654eaec192202d379ea11146d61e15d826b8b02b6af75e3&

@Marcos Polanco I understand why revealing third-party tokens in plaintext can be worrisome. At the moment, VAPI does require bearer-token authentication to access any stored Twilio Auth Tokens, which means that they can’t be retrieved publicly. Only someone with valid credentials or a stolen bearer token could do so. However, I fully acknowledge the security implications of even having an endpoint that returns these secrets in plaintext. I will check with our team to see what can be done.

Thanks. Yes, we discovered how the Vapi token may have leaked. Thanks for fully considering the implications of the current functionality.

> we discovered how the Vapi token may have leaked. @Marcos Polanco would you like to share some light on your findings if its comfortable for you.