How we got abused via OTP

Going through my emails, I saw several about Twilio's auto-recharge, and then something about a suspension. We were using Twilio to send SMS messages and phone call alerts.

"That's odd, let me check!".

I logged into Twilio from my phone and checked.

Horror.

Instant horror.

The balance was insane. But negative.

I told my friend I need to sit down and check something. Pulled out my laptop and logged in.

Same information.
Same insane balance.
Right there and then I knew it... we've been abused.
Successfully abused.

I felt my throat tighten and my mind racing. Beating myself up for not implementing a more secure abuse protection. I was also furious that Twilio allowed the messages to be sent even when the balance went negative. Thousands of dollars negative!

Then, I did all the required steps. Closed the system, opened a ticket, created a RCA.

What happened is that attackers issued tens of thousands of sign-up requests which issued one-time-password (OTP) SMS messages to be sent. And it was only a couple of weeks earlier when I received an email from Twilio warning us of such attacks and recommending protection systems against this.

I tried to get Twilio to clear out our balance since it shouldn't have send messages while it was already negative and couldn't be automatically topped-up anymore.

They were partially understanding and credited a part of the balance, but it still took more than a year for us to cover the rest of it.

Since then, signups on Monitive.com have been closed. All the existing users were happily using our services, and I am grateful to them, but it seemed that I couldn't trust the system enough to allow new users to sign up. I was being overly cautious. So I closed the "cellar doors", leaving inside the system fully operational and I went on my journey seeking other things to focus on.

And the system worked. With zero code changes and minimal intervention, it did its job. Non stop, making thousands of checks every minute, sending alerts, keeping and eye out when everyone is out and about. Including me.

Fast forward 2 years. It's April 2025. It's been about two years and 3 months since the incident. No critical bugs, still the same happy customers. Seeing that the gross volume of sales was down only 15% in 2024 compared to 2023, it occurred to me that this is actually a simple, useful service that makes people's lives better.

So I decided to pick up the ball. I went ahead and opened the (metaphorical) "cellar doors" to see where I was at and what's to do next.

What did I find? A lot of (metaphorical) spider webs, rust and some rotten code. But I'll leave that for another story, perhaps next week.