End-to-end encrypted messaging app Signal says attackers gained access to phone numbers and SMS verification codes of nearly 2,000 users in a breach of communications giant Twilio last week.
Twilio, which provides phone number verification services to Signal, said on Aug. 8 that malicious actors accessed the data of 125 customers after successfully phishing several employees. Twilio did not specify who the customers were, but they are likely to include large organizations after Signal confirmed Monday that it was one of those victims.
Signal said in a blog post on Monday that it would notify about 1,900 users whose phone numbers or SMS verification codes were stolen when attackers gained access to Twilio’s customer support console.
“For about 1,900 users, an attacker could have tried to re-register their number on another device or learned that their number was registered on Signal,” the messaging giant said. “Among the 1,900 phone numbers, the attacker explicitly searched for three numbers, and we received a report from one of these three users that their account was re-registered.”
Although this did not give the attacker access to message history, which Signal does not store, or contact lists and profile information, which are protected by the Signal’s security PIN. user, Signal said “in the event that an attacker could re-register an account, they could send and receive Signal messages from that phone number.
For those affected, the company says it will de-register Signal on all devices the user is currently using — or on which an attacker has registered them — and require users to re-register Signal with their phone number on their preferred device. Signal also advises users to enable Registration Lock, a feature that prevents an account from being re-registered on another device without the user’s security PIN.
Although the Twilio breach affects a fraction of Signal’s more than 40 million users, users have long lamented that Signal – considered one of the most secure messaging apps – requires users to register a phone number. to create an account. Other end-to-end encryption apps, such as Wire, allow users to register with a username. Although Signal has slowly ended its reliance on phone numbers, like with the introduction of Signal PINs in 2020, this incident will likely spark calls for it to act faster.