About 1,900 users of Signal, the messaging app often considered the gold-standard of privacy, may have had their phone numbers or text verification codes accessed by hackers. The breach was part of a phishing attack on the communications company, Twilio, which provides Signal’s SMS verification service.
From Signal’s Monday announcement acknowledging the data breach:
- An attacker gained access to Twilio’s customer support console via phishing. For approximately 1,900 users, either 1) their phone numbers were potentially revealed as being registered to a Signal account, or 2) the SMS verification code used to register with Signal was revealed.
- During the window when an attacker had access to Twilio’s customer support systems it was possible for them to attempt to register the phone numbers they accessed to another device using the SMS verification code. The attacker no longer has this access, and the attack has been shut down by Twilio.
Thankfully, the extent of the hack was relatively small (for context: Signal has about 40 million monthly active users), and many of the existing privacy measures that Signal employs seem to have done their job protecting user information. The company emphasized that user message history, message content, contacts, profile information, and other personal data hasn’t been impacted. Instead, the hack allowed attackers to access and potentially register new devices to a small subset of Signal users’ phone numbers.
“Message history is stored only on your device and Signal does not keep a copy of it. Your contact lists, profile information, whom you’ve blocked, and more can only be recovered with your Signal PIN which was not (and could not be) accessed as part of this incident. However in the case that an attacker was able to re-register an account, they could send and receive Signal messages from that phone number,” wrote the company.
Signal’s phone number registration requirement has long been a sore spot for those particularly concerned with anonymity and security. Many online discussions have advocated for a switch to usernames over phone numbers, out of fears of this type of breach.
The primary risk to victims of the hack is that they could be impersonated by the attackers through their Signal account, which seemed to be the intended outcome in at least three cases. The company reported that the attacker specifically searched for three phone numbers, and that at least one of those users had their account re-registered.
Signal said that all impacted users would be notified directly via SMS, beginning today. Note: If you’re one of the 1,900, that message will read: “This is from Signal Messenger. We’re reaching out so you can protect your Signal account. Open Signal and register again. More info: https://signal.org/smshelp.”
Those affected will also have all of their devices unregistered from the platform, and will need to re-register their phone number with Signal on their preferred device.
The company further pointed out that all users can enable registration lock for their Signal account in settings. Registration lock prevents new devices from registering on an existing account without verification through Signal PIN.
Twilio first announced they had been attacked earlier this month, in an August 7 blog post. The company provides communications tools and services to thousands of clients, including Signal but also Facebook, Uber, Lyft, AirBnb, and Twitter. According to Twilio, employees were targeted with a phishing link and message asking them to reset their log-in information. When some staff fell for the ploy, attackers were then able to use those employee credentials to access internal systems and customer data.
“We have identified approximately 125 Twilio customers whose data was accessed by malicious actors for a limited period of time, and we have notified all of them,” the company wrote in an update on August 10. Clearly, Signal was one of those impacted Twilio customers, but the total extent of the hack remains unknown.
And, according to Twilio, the phishing attack appears to be coordinated and ongoing. The comms giant wrote that other companies have also been subject to similar attempted hacks, and that phishing attempts and messages continue to roll in.