About 1,900 Signal Accounts May Be Compromised Due to the Twilio Hack

Twilio and Signal hack
Written by Carina Wilson

The phone numbers of approximately 1,900 Signal users were compromised in a hack and data breach that targeted cloud-based PaaS company Twilio earlier this month.

Let me remind you that the Twilio hack occurred in early August 2022. Then unknown attackers organized a phishing attack on the company’s employees, stole their account data, and then used to access data of some customers. As it became known later, this incident affected 125 Twilio client companies.

Now the developers of the Signal messenger have published a statement, according to which the attack on Twilio has also affected their users. The fact is that Signal uses Twilio to send verification SMS codes to users who register in the application.

All of our users can rest assured that their message history, contact lists, profile information, blocked contacts and other personal data are still private and secure and unaffected [during the incident].the company says.

However, the phone numbers of approximately 1,900 Signal users could have fallen into the hands of the attackers who hacked into Twilio, and hackers could use this opportunity to re-register on another device.

The fact is that Signal’s own investigation revealed that the access to the Twilio customer support console obtained by hackers allowed them to find out the phone numbers associated with Signal accounts, and also revealed SMS verification codes that were used to register with the service.

While the attackers had access to Twilio’s customer support systems, they could try to re-register the phone numbers available to them on another device using SMS verification. Attackers no longer have such access, [specialists] Twilio stopped the attack.Signal explains.

Signal developers say that out of all 1,900 phone numbers, the attackers were clearly interested in only three numbers that the hackers were specifically looking for. One of these users reported that his account did get re-registered.

The company emphasizes that user message history is safe because it is only available on the device itself and is not copied to Signal servers. In turn, contact lists and profile information are protected by a PIN, which was not available to Twilio hackers.

Signal is currently sending SMS notifications to all affected people about the incident and warning that, for security reasons, all 1,900 users will need to re-register on their devices.

The developers also recommend that all users enable registration protection. This added security measure requires a PIN when registering a phone number on a new device.

About the author

Carina Wilson

With over 10 years' experience of writing for online and print media, I'm an expert in delivering clear and compelling copy.

I've written for a leading SEO copywriting agency as well as writing for some of the UK’s best known brands, magazines and newspapers.

Leave a Comment