View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
August 16, 2022updated 17 Aug 2022 4:55am

Signal users have phone numbers exposed in data breach after Twilio hack

The messaging platform says other personal data from users is secure, but has issued a safety advisory.

By Claudia Glover

The phone numbers of nearly 2,000 customers of encrypted messaging platform Signal have been exposed following a phishing attack on one of its suppliers, cloud communications company Twilio.

Signal data breach
Signal believes that only the phone numbers of users were exposed, with other more personal data remaining untouched. (Photo courtesy of iStock)

An attacker gained access to the phone numbers of around 1,900 Signal users according to an advisory released by the company overnight. Signal engineers believe it will have been possible for them to “attempt to register the phone numbers they accessed to another device using the SMS verification code”.

Signal, which provides end-to-end encrypted messaging for businesses and consumers, counts companies including Ford and HSBC among its enterprise customers.

What happened in the Twilio attack?

Twilio was hit by a phishing attack earlier this month, confirming that data on 125 customer businesses was accessed by the attackers. Twilio did not specify how many individual users were impacted or what sort of data had been accessed, but its 150,000 corporate clients include Facebook and Uber, as well as Signal.

The problem has now been resolved, but Signal says its data was exposed during the time hackers had access to Twilio’s customer service portal. It believes that, aside from the phone numbers themselves, other sensitive information was not accessible to the attackers.

“All users can rest assured that their message history, contact lists, profile information, whom they’d blocked, and other personal data remain private and secure and were not affected,” the advisory states.

Signal data breach: how the company has responded

Signal has reached out to all affected users via SMS to prompt them to re-register their accounts. The company is unregistering all affected phone numbers.

Information like contact lists and profile information can be recovered with a Signal pin code which cannot be accessed by the criminals. “However in the case that an attacker was able to re-register an account, they could send and receive Signal messages from that phone number,” the advisory warns.

Content from our partners
The growing cybersecurity threats facing retailers
Cloud-based solutions will be key to rebuilding supply chains after global stress and disruption
How to integrate security into IT operations

For the best way to protect an existing account from this type of attack in the future, Signal recommends enabling the ‘registration lock’ function. “While we don’t have the ability to directly fix the issues affecting the telecom ecosystem, we will be working with Twilio and potentially other providers to tighten up their security where it matters for our users,” it says.

Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.

Read more: Online safety bill changes could put UK data at risk

Topics in this article: ,
Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy
SUBSCRIBED
THANK YOU