The phone numbers of approximately 1,900 Signal users were exposed in a data breach that hit cloud-based PaaS company Twilio earlier this month.
Let me remind you that the Twilio hack occurred in early August 2022. Then unknown attackers organized a phishing attack on the company’s employees, stole their account data, and then used some customers to access the data. As it became known later, this incident affected 125 Twilio client companies.
Now the developers of the Signal messenger have published a statement according to which the attack on Twilio has also affected their users. The fact is that Signal uses Twilio to send SMS verification codes to users who register in the application.
“All of our users can rest assured that their message history, contact lists, profile information, blocked contacts, and other personal data remain private and secure and unaffected [during the incident],” the company says.
However, the phone numbers of approximately 1,900 Signal users could have fallen into the hands of the attackers who hacked Twilio, and hackers could use this opportunity to re-register on another device.
The fact is that Signal’s own investigation revealed that the access to the Twilio customer support console obtained by hackers allowed them to find out the phone numbers associated with Signal accounts, and also revealed SMS verification codes that were used to register with the service.
“While the attackers had access to Twilio’s customer support systems, they could try to re-register the phone numbers available to them on another device using SMS verification. Attackers no longer have such access, [specialists] Twilio stopped the attack, ”Signal explains.
Signal developers say that out of all 1,900 phone numbers, the attackers were clearly only interested in three numbers, which which hackers were specifically looking for. One of these users reported that his account did get re-registered.
The company emphasizes that user message history is safe because it is only available on the device itself and is not copied to Signal servers. In turn, contact lists and profile information are protected by a PIN, which was not available to Twilio hackers.
Signal is currently sending SMS notifications to all those affected and warning that all 1,900 users will be required to re-register on their devices for security reasons.
The developers also recommend that all users enable registration protection. This added security measure requires a PIN when registering a phone number on a new device.