Twilio Voice Geo Permissions can be changed via API - 2FA did not stop toll fraud
Our Twilio account was recently compromised and used for toll fraud.
The concerning part is not only that the API credentials were abused. The attacker was able to change our Voice Geographic Permissions via API from an IP geolocated to Palestine, enable Ethiopia, and then generate 1,000+ minutes of unauthorized calls to Ethiopia. This resulted in almost $500 in charges.
We had 2FA enabled and Geo Permissions / Geo Protection configured specifically to prevent this type of fraud. But apparently Voice Geo Permissions can be changed programmatically through Twilio’s API, without an additional 2FA challenge or security confirmation.
To me, this seems like a serious design issue: a fraud-prevention control should not be silently changeable via API in a way that immediately enables high-risk international calling.
Twilio even treats Geo Permission changes as security-sensitive in other products, for example, SMS Geo Permissions cannot be changed programmatically for security reasons. So why can Voice dialing permissions be changed this way?
I opened a security incident with Twilio and requested escalation/refund. Has anyone else experienced this with Twilio toll fraud or Voice Geographic Permissions being changed via API?
Timeline:
- API request from Palestine
- Voice Geographic Permissions changed
- Ethiopia enabled
- 1,000+ minutes of calls to Ethiopia
- Around $500 in fraudulent charges
- Account was mostly dormant not used in any production setup
- Account was previously used only with one 3rd party App Talkyto
This looks less like “normal credential misuse” and more like a missing security control around high-risk account settings.