Twilio Account SID
ID |
twilio_account_sid |
Severity |
low |
Vendor |
Twilio |
Family |
API Key |
Description
Twilio is a cloud communications platform that provides APIs for SMS, voice, video, and authentication services.
An Account SID (AC prefix) is an account identifier. While not a secret by itself, it is required alongside the Auth Token for API authentication.
Security
A leaked Twilio Account SID alone poses a limited risk, as it is an identifier rather than a secret. However, its exposure is relevant in the following scenarios:
-
Combined with a leaked Auth Token or API Key Secret, it enables full API authentication and unauthorized access to the account.
-
It may assist attackers in targeting phishing or social engineering attempts against the account.
-
It can reveal the existence and structure of a Twilio account, which may be undesirable from an operational security perspective.
Examples
The following is an example of a leaked Twilio Account SID:
TWILIO_ACCOUNT_SID=AC9f8e7d...5d4c
client = Client("ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "your_auth_token_here")
Mitigation / Fix
-
Remove the Account SID from the source code or committed configuration file, and replace the usages with a reference to an environment variable or secret vault, as documented in How to Prevent Hard-Coded Secrets.
-
If the Account SID was leaked alongside an Auth Token or API Key Secret, treat those credentials as compromised and revoke them immediately.
-
Follow best practices for securely handling Twilio credentials:
-
Use environment variables or secret managers even for non-secret identifiers.
-
Monitor API usage for unusual patterns.
-
Implement proper access controls.
-
|
You should consider any sensitive data in commits with secrets as compromised. Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories. |