An information breach earlier this month affecting Twilio, a gateway that helps net platforms talk over SMS or voice, might have had repercussions for users of Signal, the encrypted messaging platform. Today, Signal announced it has alerted 1,900 users that their accounts have been doubtlessly revealed to whoever hacked Twilio and mentioned that the attackers searched for 3 particular numbers in the course of the time they’d entry.
So far, Signal says it has heard from a kind of three users that the attackers used their Twilio entry to re-register a new system related to their quantity, which might permit them to ship and obtain messages from that account.
According to Signal, “message historical past, contact lists, profile data, whom they’d blocked, and different private knowledge” for all users remained safe. However, if somebody was among the many users doubtlessly revealed, they usually don’t use Signal’s Registration Lock setting that requires their PIN to add a new system, then an attacker may’ve re-registered their account.
We have recognized and are contacting the 1,900 doubtlessly affected users. We are prompting them to re-register their Signal numbers and inspiring them to allow registration lock. We are additionally working with Twilio to guarantee they improve their security practices. 3/
— Signal (@signalapp) August 15, 2022
Signal is sending messages with a link to its help web page for doubtlessly affected accounts, in addition to unregistering all units linked to these accounts, and mentioned it will likely be completed with this course of by tomorrow.
Summary
Recently Twilio, the corporate that gives Signal with cellphone quantity verification providers, suffered a phishing attack. Here’s what our users want to know:
All users can relaxation assured that their message historical past, contact lists, profile data, whom they’d blocked, and different private knowledge stay personal and safe and have been not affected.
For about 1,900 users, an attacker may have tried to re-register their quantity to one other system or realized that their quantity was registered to Signal. This assault has since been shut down by Twilio. 1,900 users is a very small share of Signal’s complete users, that means that the majority weren’t affected.
We are notifying these 1,900 users immediately, and prompting them to re-register Signal on their units. If you obtained an SMS message from Signal with a link to this help article, please comply with these steps:
Open Signal in your cellphone and register your Signal account once more if the app prompts you to accomplish that.
To greatest defend your account, we strongly advocate that you simply enable registration lock within the app’s Settings. We created this characteristic to defend users towards threats just like the Twilio assault.