A data breach earlier this month affecting Twilio, a gateway that helps web platforms communicate over SMS or voice, may have had repercussions for users of Signal, the encrypted messaging platform. Today, Signal announced it has alerted 1,900 users that their accounts were potentially revealed to whoever hacked Twilio and said that the attackers searched for three specific numbers during the time they had access.
So far, Signal says it has heard from one of those three users that the attackers used their Twilio access to re-register a new device associated with their number, which would allow them to send and receive messages from that account.
According to Signal, “message history, contact lists, profile information, whom they’d blocked, and other personal data” for all users remained secure. However, if someone was among the users potentially revealed, and they don’t use Signal’s Registration Lock setting that requires their PIN to add a new device, then an attacker could’ve re-registered their account.
We have identified and are contacting the 1,900 potentially affected users. We are prompting them to re-register their Signal numbers and encouraging them to enable registration lock. We are also working with Twilio to ensure they upgrade their security practices. 3/
— Signal (@signalapp) August 15, 2022
Signal is sending messages with a link to its support page for potentially affected accounts, as well as unregistering all devices connected to those accounts, and said it will be done with this process by tomorrow.
Recently Twilio, the company that provides Signal with phone number verification services, suffered a phishing attack. Here’s what our users need to know:
All users can rest assured that their message history, contact lists, profile information, whom they’d blocked, and other personal data remain private and secure and were not affected.
For about 1,900 users, an attacker could have attempted to re-register their number to another device or learned that their number was registered to Signal. This attack has since been shut down by Twilio. 1,900 users is a very small percentage of Signal’s total users, meaning that most were not affected.
We are notifying these 1,900 users directly, and prompting them to re-register Signal on their devices. If you received an SMS message from Signal with a link to this support article, please follow these steps:
Open Signal on your phone and register your Signal account again if the app prompts you to do so.
To best protect your account, we strongly recommend that you enable registration lock in the app’s Settings. We created this feature to protect users against threats like the Twilio attack.