Phone numbers of 1,900 Signal users exposed as a result of Twilio security breach

For about 1,900 users, Twilio hackers could have attempted to re-register their number to another device or learned that their number was registered to Signal.

Communication company Twilio provides Signal with phone number verification services, and recent security breach it has suffered had also impacted some users of the popular instant-messaging app.

Twilio hackers could have attempted to re-register the number of Signal users to another device or learned that their number was registered to Signal.

“For about 1,900 users, an attacker could have attempted to re-register their number to another device or learned that their number was registered to Signal. This attack has since been shut down by Twilio. 1,900 users is a very small percentage of Signal’s total users, meaning that most were not affected.” reads the advisory published by Signal.

The company said that all users can rest assured that their message history, contact lists, profile information, whom they’d blocked, and other personal data remain private and secure and were not affected.

The Signal PIN was not exposed as part of this security breach.

The company is notifying the 1,900 impacted users, and is prompting them to re-register Signal on their devices. Users that have received an SMS message from Signal with a link to a support article, have to follow these steps:

1. Open Signal on your phone and register your Signal account again if the app prompts you to do so.
2. To best protect your account, we strongly recommend that you enable registration lock in the app’s Settings. We created this feature to protect users against threats like the Twilio attack.

The attackers gained access to Twilio’s customer support console via phishing. For approximately 1,900 users, either 1) their phone numbers were potentially revealed as being registered to a Signal account, or 2) the SMS verification code used to register with Signal was revealed.

The experts added that the attacker explicitly searched for three numbers, and Signal received a report from one of those three users that their account was re-registered.

“We encourage users to enable registration lock for their Signal account. Using an optional registration lock with your Signal PIN adds an additional verification layer to the registration process. Go to Signal Settings (profile) > Account > Registration Lock to do this.” concludes the security advisory.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Signal)

[adrotate banner=”5″]

[adrotate banner=”13″]