Twilio breach exposes 1,900 Signal users' phone numbers


1,900 Signal users are at risk as attackers may have accessed their phone numbers and SMS registration codes following the Twilio breach.

Last week, the digital communications platform Twilio fell victim to a sophisticated social engineering attack. As a result, threat actors gained access to customer data.

Signal messaging service, which uses Twilio as an SMS verification service, said on Monday that it identified 1,900 potentially affected users.

ADVERTISEMENT

"Via Twilio, attackers may have accessed phone numbers & SMS registration codes for 1,900 Signal users. Message history, profile info, contact lists, & other data were NOT & could not be accessed," Signal said.

Threat actors could use the information to attempt to register a Signal user's phone number on a new device if that user had not enabled the registration lock. Signal has identified potential victims, prompting them to re-register their Signal numbers and enable registration lock.

Signal said it would complete notifying users by August 16, and their message reads: "This is from Signal Messenger. We're reaching out so you can protect your Signal account. Open Signal and register again. More info."

"If you saw a banner when you opened Signal saying your device is no longer registered, you may have been impacted, but there are other reasons why you may no longer be registered, such as a long period of inactivity," the company added.

Signal assured that no personal data was accessed or hacked as the app does not have access to message history, contact list, profile information, and any other personal data.

"This information certainly is not available to Twilio or via the access temporarily gained by Twilio's attackers. However, in the case that an attacker was able to re-register an account during the time that the Twilio attack was active, they could send and receive messages from that phone number on Signal," the company said.

It encourages users to enable registration lock, which adds an additional verification layer to the registration process. Simply go to Signal Settings (profile) > Account > Registration Lock to do this.

ADVERTISEMENT