Encrypted chat service Signal is reporting that 1,900 users may have had their phone numbers leaked due to hackers breaching Twilio, a service provider for the messaging app.
In addition, the same users may have had the SMS codes needed to register the Signal app to a smartphone leaked to the hackers. In the wrong hands, the exposed information paves the way for an attacker “to register a Signal user’s phone number on a new device if that user had not enabled registration lock,” or what amounts to a hijacking risk, the messaging app says.
“Among the 1,900 phone numbers, the attacker explicitly searched for three numbers, and we’ve received a report from one of those three users that their account was re-registered,” Signal says(Opens in a new window). “In the case that an attacker was able to re-register an account, they could send and receive Signal messages from that phone number.”
As a result, Signal is contacting the 1,900 affected users about the potential data exposure via an SMS message. Vulnerable users will also be required to re-register the Signal app on their smartphones.
The potential breach is unsettling since many Signal users expect the encrypted chat app to protect their privacy. The app is best known for offering end-to-end encryption, meaning Signal itself can’t even read your messages. But the app has long required consumers to use a real phone number on sign up, which has been a point of criticism.
Signal uses Twilio’s SMS messaging to verify phone numbers for new sign-ups on the app. Twilio says hackers infiltrated(Opens in a new window) the company’s IT systems earlier this month by successfully phishing some company employees. The resulting breach resulted in the hackers temporarily accessing data belonging to 125 Twilio corporate clients before they were booted from the system.
In its defense, Signal is pointing out the Twilio breach only impacted a small number of victims relative to its user base of approximately 40 million(Opens in a new window). The end-to-end encryption on the app also ensured the attackers had no way of accessing users’ private messages.
Recommended by Our Editors
“All users can rest assured that their message history, contact lists, profile information, whom they’d blocked, and other personal data remain private and secure and were not affected,” the messaging app wrote(Opens in a new window) on a support page.
Signal is also encouraging users to activate the “registration lock(Opens in a new window)” on the Signal app. This will effectively lock the Signal app to your smartphone, stamping out the hijacking risk. “We created this feature to protect users against threats like the Twilio attack,” the messaging service adds.
“While we don’t have the ability to directly fix the issues affecting the telecom ecosystem, we will be working with Twilio and potentially other providers to tighten up their security where it matters for our users,” Signal says.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Hits: 0
