The phone numbers of approximately 1,900 Signal users were compromised in a hack and data breach that targeted cloud-based PaaS company Twilio earlier this month.
让我提醒你 这 Twilio hack occurred in early August 2022. Then unknown attackers organized a phishing attack on the company’s employees, stole their account data, and then used to access data of some customers. As it became known later, this incident affected 125 Twilio client companies.
Now the developers of the Signal messenger have published a statement, according to which the attack on Twilio has also affected their users. The fact is that Signal uses Twilio to send verification SMS codes to users who register in the application.
然而, the phone numbers of approximately 1,900 Signal users could have fallen into the hands of the attackers who hacked into Twilio, and hackers could use this opportunity to re-register on another device.
The fact is that Signal’s own investigation revealed that the access to the Twilio customer support console obtained by hackers allowed them to find out the phone numbers associated with Signal accounts, and also revealed SMS verification codes that were used to register with the service.
Signal developers say that out of all 1,900 phone numbers, the attackers were clearly interested in only three numbers that the hackers were specifically looking for. One of these users reported that his account did get re-registered.
The company emphasizes that user message history is safe because it is only available on the device itself and is not copied to Signal servers. In turn, contact lists and profile information are protected by a PIN, which was not available to Twilio hackers.
Signal is currently sending SMS notifications to all affected people about the incident and warning that, for security reasons, all 1,900 users will need to re-register on their devices.
The developers also recommend that all users enable registration protection. This added security measure requires a PIN when registering a phone number on a new device.
发表评论