The phone numbers of around 1,900 Signal users were exposed in a Twilio data breach that happened on August 4. Twilio provides phone number verification services for Signal and disclosed that an unknown attacker accessed its networks at the beginning of the month.
Twilio itself confirmed that around 125 customers’ data was, in fact, exposed following the hack. Hackers accessed Twilio employee accounts after sending them text messages containing malicious phishing links.
Signal published an advisory informing users how the Twilio hack impacted the app’s users, assuring them that their message history, contact lists, profile information, the people they’ve blocked, and other personal data remain secure and weren’t affected.
For the 1,900 customers whose phone numbers were exposed, the attacker could have attempted to re-register their numbers to another device. As a safety precaution, Signal has de-registered these numbers from all devices, and the affected users are advised to re-register them to their original devices.
The company is also informing all affected customers directly via SMS (and via notifications in the Signal app) and has asked them to log into their Signal accounts again and enable the registration lock feature built to protect users against such attacks. They expect to complete the notification process by August 17.
Signal also conducted its own investigation on what happened over at Twilio and found that the attacker’s access to Twilio’s customer support console either allowed them to see whether or not a number was linked to a Signal account or revealed the SMS verification code required for registering the number with the service.
Three of all numbers impacted were explicitly searched for by the attacker, with one of those users reporting that their account was re-registered. Twilio has since shut the attack down with the attacker’s access revoked.
In the News: Samsung Galaxy Buds2 Pro unveiled in India for INR 17,999