Signal says 1,900 user phone numbers were exposed in Twilio hack

16 Aug 2022

Image: © Aleksei/Stock.adobe.com

Signal has asked 1,900 users to re-register as their phone numbers could have been exposed from the recent data breach impacting Twilio.

Encrypted messaging provider Signal has warned 1,900 users that their phone numbers were potentially exposed from the recent Twilio data breach.

Cloud communications company Twilio suffered an attack earlier this month, when employees were tricked into sharing their login credentials through a phishing scam. Twilio said a “limited number” of customers then had their data accessed by the threat actors.

Now, Signal said an attacker could have attempted to re-register the numbers of around 1,900 users to another device, or learned that their number was registered to the messaging app.

“Among the 1,900 phone numbers, the attacker explicitly searched for three numbers, and we’ve received a report from one of those three users that their account was re-registered,” Signal said on its support page.

The messaging app has notified the 1,900 users directly through text and has unregistered them from the app. The company has asked these affected users to re-register Signal on their device as a precaution.

The encryption service said message history, contact lists, profile information and other personal data was not affected. Signal added that the attacker no longer has access to Twilio’s customer support systems.

However, it warned that if the threat actor re-registers a user account with a new device, they could then send and receive Signal messages from that number.

In response to the incident, Signal said users should enable registration lock for their accounts as this adds an “additional verification layer” to the registration process.

“The kind of telecom attack suffered by Twilio is a vulnerability that Signal developed features like registration lock and Signal PINs to protect against,” Signal said.

“While we don’t have the ability to directly fix the issues affecting the telecom ecosystem, we will be working with Twilio and potentially other providers to tighten up their security where it matters for our users.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com