Twilio Voice Geo Permissions can be changed via API - 2FA did not stop toll fraud : twiliojump to contentmy subreddits<br>edit subscriptions<br>popular<br>-all<br>-users<br>| AskReddit<br>-pics<br>-funny<br>-movies<br>-gaming<br>-worldnews<br>-news<br>-todayilearned<br>-nottheonion<br>-explainlikeimfive<br>-mildlyinteresting<br>-DIY<br>-videos<br>-OldSchoolCool<br>-TwoXChromosomes<br>-tifu<br>-Music<br>-books<br>-LifeProTips<br>-dataisbeautiful<br>-aww<br>-science<br>-space<br>-Showerthoughts<br>-askscience<br>-Jokes<br>-Art<br>-IAmA<br>-Futurology<br>-sports<br>-UpliftingNews<br>-food<br>-nosleep<br>-creepy<br>-history<br>-gifs<br>-InternetIsBeautiful<br>-GetMotivated<br>-gadgets<br>-announcements<br>-WritingPrompts<br>-philosophy<br>-Documentaries<br>-EarthPorn<br>-photoshopbattles<br>-listentothis<br>-blog
more "
reddit.com twiliocomments<br>other discussions (1)
Want to join? Log in or sign up in seconds.
limit my search to r/twiliouse the following search parameters to narrow your results:<br>subreddit:subredditfind submissions in "subreddit"author:usernamefind submissions by "username"site:example.comfind submissions from "example.com"url:textsearch for "text" in urlselftext:textsearch for "text" in self post contentsself:yes (or self:no)include (or exclude) self postsnsfw:yes (or nsfw:no)include (or exclude) results marked as NSFWe.g. subreddit:aww site:imgur.com dog<br>see the search faq for details.
advanced search: by author, subreddit...
this post was submitted on 28 Jun 2026<br>3 points (81% upvoted)<br>shortlink:
Submit a new link
Submit a new text post
twilio<br>joinleave<br>a community for 15 years
MODERATORS
message the mods
1 · 3 comments<br>Monthly Troubleshooting Help Thread<br>19 · 14 comments<br>Meet the Mods!<br>· 1 comment<br>I’m Andy O’Dower, Field CTO at Twilio. From building simple APIs to orchestrating AI agents -- Ask Me Anything!<br>Come find us at We Are Developers<br>Where can I learn twilio<br>2 · 1 comment<br>Built a WhatsApp AI agent with human takeover using Twilio MCP + Claude - WIthout coding<br>4 · 20 comments<br>How to send bulk SMS in Twilio without coding<br>SendGrid now works with IFTTT: send bounces, spam reports, and unsubscribes to Slack, a sheet, or your phone<br>2 · 2 comments<br>No available phone numbers to buy?<br>Help with a conference setup
Welcome to Reddit,<br>the front page of the internet.<br>Become a Redditorand join one of thousands of communities.
×
Twilio Voice Geo Permissions can be changed via API - 2FA did not stop toll fraud (self.twilio)<br>submitted 11 days ago * by Jamira40
Our Twilio account was recently compromised and used for toll fraud.
The concerning part is not only that the API credentials were abused. The attacker was able to change our Voice Geographic Permissions via API from an IP geolocated to Palestine, enable Ethiopia, and then generate 1,000+ minutes of unauthorized calls to Ethiopia. This resulted in almost $500 in charges.
We had 2FA enabled and Geo Permissions / Geo Protection configured specifically to prevent this type of fraud. But apparently Voice Geo Permissions can be changed programmatically through Twilio’s API, without an additional 2FA challenge or security confirmation.
To me, this seems like a serious design issue: a fraud-prevention control should not be silently changeable via API in a way that immediately enables high-risk international calling.
Twilio even treats Geo Permission changes as security-sensitive in other products, for example, SMS Geo Permissions cannot be changed programmatically for security reasons. So why can Voice dialing permissions be changed this way?
I opened a security incident with Twilio and requested escalation/refund. Has anyone else experienced this with Twilio toll fraud or Voice Geographic Permissions being changed via API?
Timeline:
API request from Palestine
Voice Geographic Permissions changed
Ethiopia enabled
1,000+ minutes of calls to Ethiopia
Around $500 in fraudulent charges
Account was mostly dormant not used in any production setup
Account was previously used only with one 3rd party App Talkyto
This looks less like “normal credential misuse” and more like a missing security control around high-risk account settings.
41 comments<br>share<br>save<br>hide<br>report
all 41 comments<br>sorted by: best (suggested)<br>topnewcontroversialoldrandomq&alive (beta)
Want to add to the discussion?<br>Post a comment!<br>Create an account
[–]Fit-Sky8697🥑 DevRel @ Twilio[M] [score hidden] 10 days ago* stickied commentlocked comment (0 children)<br>For transparency: Twilio is aware of this thread and looking into it. I can see a few people here are impacted, which is painful to see.
If you've used Talkyto , rotate your Twilio Auth Token and any API keys as a precaution. Here are guides for both: auth tokens and API keys. It's also worth contacting Talkyto directly, since they're a third-party service and will have visibility into any potential breach on their side.
As always, if you've seen unexpected activity on your Twilio account, please open a support ticket so it can be investigated properly.
Talkyto have confirmed a breach: relevant comment here...