A data breach earlier this month affecting Twilio, a gateway that helps web platforms communicate over text or voice, may have had repercussions for users of Signal. The attackers searched for three specific numbers during the time they had access to the Twilio account of 1,900 users.
One of the three users has told Signal that the attackers used their Twilio access to re-register a device that would allow them to send and receive messages from that account.
Messages, contact lists, profile information, and other personal data for all users remained secure according to Signal. An attacker could re-register their account if someone was revealed and they didn't use the registration lock setting.
We have identified and are contacting the 1,900 potentially affected users. We are prompting them to re-register their Signal numbers and encouraging them to enable registration lock. We are also working with Twilio to ensure they upgrade their security practices. 3/
— Signal (@signalapp) August 15, 2022
It will be done by tomorrow with unregistering all devices connected to potentially affected accounts and sending messages with a link to its support page.
Summary
Recently Twilio, the company that provides Signal with phone number verification services, suffered a phishing attack. Here’s what our users need to know:
All users can rest assured that their message history, contact lists, profile information, whom they’d blocked, and other personal data remain private and secure and were not affected.
For about 1,900 users, an attacker could have attempted to re-register their number to another device or learned that their number was registered to Signal. This attack has since been shut down by Twilio. 1,900 users is a very small percentage of Signal’s total users, meaning that most were not affected.
We are notifying these 1,900 users directly, and prompting them to re-register Signal on their devices. If you received an SMS message from Signal with a link to this support article, please follow these steps:
Open Signal on your phone and register your Signal account again if the app prompts you to do so.
To best protect your account, we strongly recommend that you enable registration lock in the app’s Settings. We created this feature to protect users against threats like the Twilio attack.