The attack targeted Signal’s phone number authentication partner company, Twilio
The attack targeted Signal’s phone number authentication partner company, Twilio
The messaging app service Signal said on Monday a phishing attack against its SMS verification partner Twilio meant hackers had accessed phone numbers and registration codes of 1,900 Signal users.
(Sign up to our Technology newsletter, Today’s Cache, for insights on emerging themes at the intersection of technology, business and policy. Click here to subscribe for free.)
In a series of tweets today and a blog post, Signal assured users that message history, contact lists, profile information, and blocked user data had not been exposed by the attack. Furthermore, the message company confirmed that Twilio shut down the attack.
The information that the hacker accessed would allow them to register the phone numbers on a new device, if the users had not enabled the ‘lock registration’ feature. Signal noted that the hacker specifically searched for three phone numbers, and that one account was re-registered.
“For all 1,900 of the users potentially affected, we will unregister Signal on all devices that the user is currently using (or, that an attacker registered them to) and require them to re-register Signal with their phone number on their preferred device,” stated Signal’s blog post.
Signal also added that it was working with Twilio and other service providers to ensure that their security standards were adequate.
“1,900 users is a very small percentage of Signal’s total users, meaning that most were not affected,” Signal added.
Users have criticised Signal for requiring a phone number which it then authenticates, as more subscribers push for a messaging service based on usernames.
English
Hindi
Malayalam