1,900 Signal Customers' Data Exposed in Twilio HackPhone Numbers, SMS Registration Codes of Signal Users Exposed
Signal says phone numbers and SMS verification codes of 1,900 customers are compromised, potentially transferring access of these accounts to the attackers. Signal says historical chats on its app continue to be protected by encryption and that it has taken steps to prevent further compromise.
Signal uses Twilio's phone number verification services for registering users on its communications platform.
Last week, after announcing the attack on Aug. 7, Twilio identified the threat actors who illegally accessed the data of 125 of its customers. Twilio said Wednesday the social engineering attacks are still ongoing but that there was no evidence of unauthorized access to customer passwords, authentication tokens or API keys so far.
Signal says Twilio's customer support console was accessed by the attacker during the cyberattack, resulting in the exposure of Signal users' phone number and account verification data.
Internal Investigation Findings
Signal says its internal investigation found the attackers controlled Twilio's customer support console for an undisclosed amount of time. This allowed them to view phone numbers and SMS verification codes of Signal members. The attackers could potentially use this data to re-register the exposed phone numbers to a device under their control and use it to impersonate users and send and receive messages with malicious intent.
The attacker searched for three specific numbers in the exposed data set, one of which has been reported as being re-registered, Signal says. The company did not immediately respond to Information Security Media Group's request for details on the three targeted users and if any of the other exposed phone numbers had been re-registered.
Data Vulnerability and Mitigation Measures
Signal says it uses end-to-end encryption on its application for both messages and calls, preventing Signal and its third parties from monitoring communications. Message history is safe too, as this data is stored only on the users' local device. User profile information and contact lists are protected by a Signal PIN, which is not stored by Signal and thus not visible to Twilio or its attackers, Signal says.
To remediate the risk to the 1,900 users, Signal says it will unregister all the accounts from the devices they are currently registered on. Users have been notified by SMS that they need to re-register for a Signal account on a safe device with a preferred phone number, it says, and this process is estimated to be completed by Tuesday.
Signal also recommends using a registration lock designed to protect users against such attacks.
Our registration lock function protects against these kinds of attacks.— Signal (@signalapp) August 15, 2022
Enable registration lock by going into your Settings >> Account >> Registration Lock. https://t.co/715c7mzH9j pic.twitter.com/FcX1wX3q2g