- Signal announced that the incident was caused by a phishing attack that target Twilio, the company that provides Signal with phone number verification services.
- As a result of the attack, the attackers gained access to the customer support console of Twilio, revealing phone numbers or SMS verification codes.
- As a security measure, the company asked approximately 1,900 users to re-register Signal on their devices with an SMS message.
End-to-end encrypted messaging service Signal officially announced that a cyber attack targeting Twilio may have exposed the approximately 1,900 Signal users’ phone numbers. The company notified the users and asked them to re-register Signal on their devices. Users who received such an SMS message need to:
- Open Signal on your phone and register your Signal account again if the app prompts you to do so.
- To protect your account, Signal recommends users enable registration lock to protect their account against threats like the Twilio attack.
Personal data will remain private and secure
Signal stated that Twilio, the company that provides Signal with phone number verification services, confirmed that they had suffered a phishing attack. As a result, an attacker gained access to the customer support console with a phishing attack. Users’ either phone numbers were potentially revealed as being registered to a Signal account or the SMS verification code used to register with Signal was revealed.
Thus, attackers can attempt to register the phone numbers they accessed to another device using the SMS verification code. The attack has been shut down and the attacker no longer has this access. Signal also stated that the message history is only stored on devices and the company doesn’t keep a copy. Also, information like contact lists, profile information, whom you’ve blocked, and more can only be recovered with Signal PIN.
The company also announced that they are in contact with Twilio and working with them and other providers to improve their security practices. The company started notifying users on August 15th and it should be finished on August 16. The SMS message that the company send says,
« This is from Signal Messenger. We’re reaching out so you can protect your Signal account. Open Signal and register again. »