Despite its reputation as the most secure messaging app, Signal revealed on Monday that 1,900 of its users were affected by a security breach at the company that verifies their phone numbers. As a result of the breach, the phone numbers of these users were made public.
Signal claims that Twilio was the victim of a phishing attack in a post detailing the incident. Twilio claims in its own blog post that the incident was caused by a “sophisticated social engineering attack designed to steal employee credentials.”
Some Twilio employees’ credentials were compromised in the attack. According to Twilio, 125 customers may have had their information exposed. The signal is one of the affected customers.
Thanks to its fully encrypted service from end to end, Signal has maintained its status as the most secure messaging app. A malicious actor cannot access a Signal user’s messages without first gaining physical access to the user’s device.
Therefore, Signal users can rest assured that their private conversations have not been hacked. Again, Signal’s design ensured that user profiles, contact lists, and other information remained secure.
However, Signal Warns that There Were Issues that Arose for The Users Affected by The Breach:
About 1,900 users may have had their numbers compromised in one of two ways: either their attacker attempted to re-register their number to another device, or they learned that their number was registered to Signal and used it to send spam. Twilio has since disabled this attack.
Among those 1,900 users, one said their Signal account had been re-registered on another device without their knowledge or consent, as reported by Signal. Signal adds that the vast majority of its users were not impacted by the hack.
The fact that this security breach has had minimal effects shows how well-designed Signal’s security is. However, the security issue serves as a reminder of Signal’s major drawback: the need for users to provide a registered phone number before they can send and receive messages.
There have been rumors that Signal will soon support user IDs in place of phone numbers, but this has yet to be implemented.
And What, Precisely, Occurred?
Signal’s phone number verification service provider, Twilio, informed us that they had been the target of a phishing attempt. After looking into the matter, we came to the following conclusions.
Via phishing, a hacker was able to access Twilio’s customer support dashboard. About 1,900 Signal users may have had their phone numbers or SMS verification codes exposed.
A potential attacker could have used the time they were able to access Twilio’s customer support systems to try to register the numbers they obtained with a new device by sending an SMS verification code to that device. Twilio has disabled the attack and the attacker no longer has access.
One user reported that their account was re-registered after the hacker searched for three specific phone numbers among the list of 1,900.
What’s more, the attacker wasn’t able to see their messages, profiles, or contact lists as a result. The signal does not keep a record of your conversation history; only your device stores your messages.
Since your Signal PIN was not compromised in this incident, all of your data, including your contact list, profile, and the people you’ve blocked, remains secure. The ability to send and receive Signal messages from a compromised phone number would become possible if the attacker was able to re-register the account.
All Affected Users Will Be Shielded by The Following Measures:
All 1,900 affected users will have their Signal accounts deleted from any and all devices they are currently using (or that an attacker registered them to) and will be required to re-register Signal using their preferred device and phone number.
Every one of the 1,900 users who could be affected will receive a direct message from us.
We have started notifying users and asking them to re-register their phone numbers with Signal as of August 15th. At this rate, we should be done by August 16th.
Signal features like registration lock and Signal PINs were developed to safeguard against vulnerabilities like the telecom attack suffered by Twilio. To protect their accounts, users are strongly urged to turn on the registration lock.
The problems plaguing the telecom industry are beyond our sphere of influence, but we are committed to working with Twilio and possibly other providers to improve their security where it matters most to our customers.
Was I Impacted by This?
According to the data provided by Twilio, 1,900 customers may have been affected. In this case, we’re using text messages to alert the users in question. The notification process will begin on August 15 and is expected to be finished by August 16.
This is from Signal Messenger,” reads the text message we’re sending to these users. In an effort to keep your Signal account secure, we’ve reached out to you. Launch Signal and log in once more. Visit https://signal.org/smshelp for details.
Affected users may have seen a banner upon opening Signal stating their device is no longer registered; however, there are other possible causes for this, such as an extended period of inactivity.
Has Someone Hacked Into or Accessed Any of My Private Information?
No. The Signal was made to ensure that your information remains under your control, not ours. The signal does not collect or store any of your private information, including messages, contacts, profiles, and the people you block.
Neither Twilio nor the hackers who temporarily compromised Twilio have access to this data. However, if an attacker were to successfully re-register an account while the Twilio attack was ongoing, they would be able to use that number to send and receive Signal messages.
Is Someone I’ve Been Talking to On the Verge of Collapse?
Since only a handful of people would be affected, that seems highly improbable. To find out if contact was compromised, you can send them a message asking if they received an SMS from Signal with instructions on how to re-register their account and links to additional resources.