Signal confirms 1,900 of its users were compromised after Twilio breach
Last week, after a series of well-choreographed phishing attacks targeting Twilio employees, hackers successfully infiltrated the company’s customer support console where they proceeded to steal sensitive user information.
Signal has now confirmed that 1900 of its users were compromised in the attack. The company noted that in the period when hackers had access to Twilio’s customer support systems, they also had access to SMS verification codes of the 1900 users and could, therefore, attempt to re-register the victim’s signal accounts on a different phone.
“During the window when an attacker had access to Twilio’s customer support systems it was possible for them to attempt to register the phone numbers they accessed to another device using the SMS verification code,” a statement by the company read.
The company further added that the attackers were interested in 3 specific phone numbers of the 1900 exposed and the owner of one of the accounts has already confirmed that their Signal account was re-registered.
Now, while re-registering an account won’t give the attackers access to any sensitive information like past messages, profile information, or contact lists by the user, it allows the attacker to send and receive signal messages from that number meaning they can use the compromised account for further phishing.
The good news is the hackers no longer have access to Twilio’s systems.
Signal has already started the process of notifying the affected users and deregistering their accounts. As a safety measure, the compromised users will be required to re-register their accounts on all devices that they use.
If you see a banner on your Signal account notifying you that your account has been de-registered then it’s probably because you were affected by the breach or your account has been inactive for a long time.
Signal already has a preventative measure for this type of attack but it’s not enabled by default. The company had anticipated something like that could happen, leading to the creation of Signal pins and registration lock, a feature that makes it impossible for another person to register an account with a user’s phone number.
Signal is now calling upon all its users to make sure that this feature is enabled.