Signal Says Twilio Breach May Have Affected 1,900 Users

Signal Messenger App Information Page on Play Store

Privacy-focused messaging app Signal on Monday said cybercriminals may have gained access to the phone numbers and SMS registration codes of 1,900 of its users.

The announcement follows a data breach earlier this month that allowed an unidentified threat actor to access Twilio’s systems. Signal relies on Twilio for SMS verification services, and the breach apparently exposed some Signal users’ data.

Signal explained that the attacker did not steal sensitive user data because it does not store such information. “Message history, profile info, contact lists, & other data were NOT & could not be accessed,” the company said on Twitter.

Signal is reaching out to the affected users with instructions on how to protect their accounts.

‘Sophisticated’ Phishing Attack

On Sunday, August 7, Twilio announced that an unauthorized party had gained access to its systems following a “sophisticated social engineering attack” targeting its employees. Posing as the company’s IT department, the threat actor reportedly sent current and former Twilio employees phishing SMS text messages.

The same malicious actor attempted to hack Cloudflare using a similar phishing scheme. However, Cloudflare’s security systems stopped the attack.

The SMS messages the hacker sent Twilio employees contained a URL that directed them to a page designed to look like the company’s official login page. The threat actor promptly swiped any login credentials entered on the malicious site.

Twilio said it has taken measures to shut down the malicious sites.

“The text messages originated from U.S. carrier networks,” Twilio said in a blog post. “We worked with the U.S. carriers to shut down the actors and worked with the hosting providers serving the malicious URLs to shut those accounts down. Additionally, the threat actors seemed to have sophisticated abilities to match employee names from sources with their phone numbers.”

Twilio Notified Signal of Potential Data Breach

Signal said Twilio informed the company of the breach, and after its investigations, it found that the breach may have exposed the phone numbers of 1,900 users and the SMS codes they used to register their accounts.

“During the window when the attacker had access to Twilio’s customer support systems it was possible for them to register the phone numbers they accessed to another device using the SMS verification code,” Signal revealed on its website.

Out of the 1,900 phone numbers exposed in the breach, Signal said the threat actor specifically searched for three numbers. It is unclear who those numbers belong to and why the hacker searched for them. However, Signal said one of the three users has reported that their account was re-registered.

Meanwhile, Signal has unregistered the accounts of all affected users. This would also unregister their accounts on any device the attacker may have added. The company has directed the 1,900 users to re-register Signal with their phone number.

In the wake of this breach, Signal has encouraged users to use the Signal PIN and to enable registration lock on their accounts. This adds a layer of protection when registering a new device. To do so, go to Signal Settings (profile) > Account > Registration Lock.

To learn more about Signal and what makes it different from other messaging apps, check out our article on Signal vs. WhatsApp.

Technology policy researcher
Prateek is a technology policy researcher with a background in law. His areas of interest include data protection, privacy, digital currencies, and digital literacy. Outside of his research interests, Prateek is an avid reader and is engaged in projects on sustainable farming practices in India.