The phone numbers of nearly 2,000 customers of encrypted messaging platform Signal have been exposed following a phishing attack on one of its suppliers, cloud communications company Twilio.
An attacker gained access to the phone numbers of around 1,900 Signal users according to an advisory released by the company overnight. Signal engineers believe it will have been possible for them to “attempt to register the phone numbers they accessed to another device using the SMS verification code”.
Signal, which provides end-to-end encrypted messaging for businesses and consumers, counts companies including Ford and HSBC among its enterprise customers.
What happened in the Twilio attack?
Twilio was hit by a phishing attack earlier this month, confirming that data on 125 customer businesses was accessed by the attackers. Twilio did not specify how many individual users were impacted or what sort of data had been accessed, but its 150,000 corporate clients include Facebook and Uber, as well as Signal.
The problem has now been resolved, but Signal says its data was exposed during the time hackers had access to Twilio’s customer service portal. It believes that, aside from the phone numbers themselves, other sensitive information was not accessible to the attackers.
“All users can rest assured that their message history, contact lists, profile information, whom they’d blocked, and other personal data remain private and secure and were not affected,” the advisory states.
Signal data breach: how the company has responded
Signal has reached out to all affected users via SMS to prompt them to re-register their accounts. The company is unregistering all affected phone numbers.
Information like contact lists and profile information can be recovered with a Signal pin code which cannot be accessed by the criminals. “However in the case that an attacker was able to re-register an account, they could send and receive Signal messages from that phone number,” the advisory warns.
For the best way to protect an existing account from this type of attack in the future, Signal recommends enabling the ‘registration lock’ function. “While we don’t have the ability to directly fix the issues affecting the telecom ecosystem, we will be working with Twilio and potentially other providers to tighten up their security where it matters for our users,” it says.
Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.