Phone numbers of nearly 1900 Signal users were exposed in a data breach, after Twilio, the company that provides Signal with phone number verification services, suffered a phishing attack. It should be noted that Signal, is a popular messaging platform that gained massive popularity in India after WhatsApp in January 2021 made changes to its privacy policy where it mentioned that it would share user data with Facebook, this update was later reversed.
“1,900 users are a very small percentage of Signal’s total users, meaning that most were not affected. We are notifying these users directly, and prompting them to re-register Signal on their devices,” Signal said in a press statement. However, the company said that all users can be assured that “their message history, contact lists, profile information, whom they’d blocked, and other personal data remain private and secure and were not affected.”
What happened exactly?
An attacker gained access to Twilio’s customer support console via phishing. This means the attackers messaged a customer support executive with a link, which when clicked gave them access to Twilio’s customer support systems. It was possible for them to attempt to register the phone numbers they accessed to another device using the SMS verification code.
For approximately 1,900 users, either their phone numbers were potentially revealed as being registered to a Signal account, or the SMS verification code used to register with Signal was revealed. According to Signal, the attacker no longer has this access, and the attack has been shut down by Twilio.
“Your contact lists, profile information, whom you’ve blocked, and more can only be recovered with your Signal PIN which was not (and could not be) accessed as part of this incident. However in the case that an attacker was able to re-register an account, they could send and receive Signal messages from that phone number,” Signal said in a blog post.
Are you affected?
Signal is notifying all 1,900 potentially affected users directly via SMS. As of August 16, the company has already notified users and is requiring them to re-register Signal with their phone numbers.
The SMS message that Signal is sending to the affected user reads: “This is from Signal Messenger. We’re reaching out so you can protect your Signal account. Open Signal and register again. ” If you saw a banner when you opened Signal saying your device is no longer registered, you may have been impacted.
Staying safe
Users should enable registration lock for their Signal account. This includes using an optional registration lock with your Signal PIN, this adds an additional verification layer to the registration process. Here’s how you can do it:
#Go to Signal Settings (profile)
#Click on Account
#Set up ‘Registration Lock’
“We are in contact with Twilio and are actively working with them and other providers to improve their security practices. On the user side, we encourage users to enable registration lock,” Signal added.
!function(f,b,e,v,n,t,s)
{if(f.fbq)return;n=f.fbq=function(){n.callMethod?
n.callMethod.apply(n,arguments):n.queue.push(arguments)};
if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version=’2.0′;
n.queue=[];t=b.createElement(e);t.async=!0;
t.src=v;s=b.getElementsByTagName(e)[0];
s.parentNode.insertBefore(t,s)}(window, document,’script’,
‘https://connect.facebook.net/en_US/fbevents.js’);
fbq(‘init’, ‘444470064056909’);
fbq(‘track’, ‘PageView’);