End-to-end encrypted messaging app Signal claims that hackers accessed the phone numbers and SMS verification codes of 1900 users as part of the Twilio breach, last week. Twilio, which provides phone number verification services to Signal, said on August 8 that malicious actors accessed the data of 125 customers after successfully phishing multiple employees.
Signal Was One of the Victims of the Twilio Breach
Twilio did not say who the customers were, but they are likely to include large organizations after Signal on Monday confirmed that it was one of those victims. Signal said in a blog post on Monday that it would notify about 1,900 users whose phone numbers or SMS verification codes were stolen in the Twilio breach when attackers gained access to Twilio’s customer support console.
“For about 1,900 users, an attacker could have attempted to re-register their number to another device or learned that their number was registered to Signal,” the messaging giant said about the Twilio breach. “Among the 1,900 phone numbers, the attacker explicitly searched for three numbers, and we’ve received a report from one of those three users that their account was re-registered.”
While this didn’t give the attacker access to message history, which Signal doesn’t store, or contact lists and profile information, which is protected by the user’s security PIN, Signal said: “in the case that an attacker was able to re-register an account, they could send and receive Signal messages from that phone number.”
Signal Requires Affected Users to Re-Register on the App
For those affected in the Twilio breach, the company says it will unregister Signal on all devices that the user is currently using — or that an attacker registered them to — and will require users to re-register Signal with their phone number on their preferred device. Signal also advises users to switch on registration lock, a feature that prevents an account from being re-registered on another device without the user’s security PIN.