Nearly 1,900 Signal users’ phone numbers were made public as a result of the data breach Twilio, a cloud communications provider, had at the beginning of the month.
For Signal, Twilio offers phone number verification services. Last week, the company said that on August 4, an attacker breached its network.
The telecommunication business acknowledged that 125 of its customers’ data had been compromised after hackers used text messages with malicious links to breach Twilio staff members’ accounts.
Hackers could register phone numbers to their device
Today, Signal released a caution for its subscribers outlining how the Twilio cyberattack affected them:
“All users may rest easy knowing that their message histories, contact lists, profile details, blocked people, and other personal data were unaffected and remain private and safe.” – Warning
However, for roughly 1,900 Signal users, the Twilio attacker may have had access to their phone numbers and could have tried to register them to another device.
According to Signal’s investigation into the incident, the hacker’s access to Twilio’s customer support console either made it possible for them to see that the phone number in question was associated with a Signal account or gave them access to the SMS verification code needed to sign up for the service.
It was feasible for an attacker to try to register the phone numbers they accessed to another device using the SMS verification code during the time that the attacker had access to Twilio’s customer care infrastructure. The attacker no longer has access to this, and Twilio has stopped the attack. – Warning
According to the encrypted instant messaging service, the attacker “explicitly looked” for three of the 1,900 phone numbers. A user among them claimed that their account had been re-registered.
Due to the fact that the message history is only stored on the device and not on the servers of the service, Signal promises users that their message history is always safe.
The Signal PIN prevents access to contact lists and personal data, which was safeguarded during the Twilio data incident.
SMS notifications are on their way
The manufacturer issues a warning that an attacker might use a phone number to transmit and receive Signal communications if they re-register an account to one of their devices.
All 1,900 impacted Signal customers will have their registrations deleted from all of their devices, and they must re-register their devices.
The signal is currently in the process of informing affected users through SMS of the risk, and it anticipates finishing the process by tomorrow.
Users who are affected should get a notification that says: “This is from Signal Messenger. We are contacting you to help you safeguard your Signal account. Open Signal and sign up once more. For more information, visit signal.org/smshelp.
If they recently utilized the service, they should also receive a banner when they start the Signal app informing them that their device is no longer registered.
The registration lock option, which enables restoring the profile, settings, contacts, and blocked users, is one that Signal strongly advises users to enable. The Signal PIN is needed as an additional layer of verification for the feature, which can only be enabled or disabled from the device.