Phone numbers of close to 1,900 Signal users were exposed in the data breach Twilio cloud communications company suffered at the beginning of the month.
Twilio provides phone number verification services for Signal and last week disclosed that an attacker hacked its network on August 4.
The communications company confirmed that data belonging to 125 of its customers was exposed after the hackers gained access to Twilio employee accounts by sending them text messages with malicious links.
Hacker could register phone numbers to their device
Signal today published an advisory for its users informing them how the cyberattack on Twilio impacted them:
“All users can rest assured that their message history, contact lists, profile information, whom they’d blocked, and other personal data remain private and secure and were not affected” – Signal
But for about 1,900 Signal users their phone numbers were potentially exposed to the Twilio attacker, who could have attempted to register them to another device.
Signal’s investigation into the incident concluded that the hacker’s access to Twilio’s customer support console either allowed them to see that the phone number was linked to a Signal account or revealed the SMS verification code for registering with the service.
“During the window when an attacker had access to Twilio’s customer support systems it was possible for them to attempt to register the phone numbers they accessed to another device using the SMS verification code. The attacker no longer has this access, and the attack has been shut down by Twilio” – Signal
The encrypted instant messaging service says that from the 1,900 phone numbers, the attacker “explicitly searched” for three of them. One of these users reported that their account was re-registered.
Signal reassures users that the message history remained safe at all times because it is available only on the device with no copy on the service’s servers.
Contact lists and profile information is protected by the Signal PIN, which could not be accessed during the Twilio data breach.
SMS notifications on their way
The company warns that if an attacker re-registers an account to one of their devices, they would be able to send and receive Signal messages from that phone number.
All affected 1,900 Signal users will be unregistered on all devices and they should go through the registering process on their devices.
Signal is now in the process of sending SMS messages to affected users to let them know about the risk and is expecting to complete the process by tomorrow.
Impacted users should receive a message reading: “This is from Signal Messenger. We’re reaching out so you can protect your Signal account. Open Signal and register again. More info: https://signal.org/smshelp.”
When opening the Signal app, they should also see a banner notifying them that their device is no longer registered, if they used the service recently.
Signal encourages users to turn on the registration lock option, which allows recovering the profile, settings, contacts, and blocked users. The feature can be enabled or disabled only from the device and requires the Signal PIN as an additional verification layer.