Signal confirms 1,900 of its users were hit by Twilio breach

Encrypted messaging platform Signal has confirmed that a number of its customers have been affected by the phishing attack on Twilio last week.

The company believes around 1,900 of its users are potentially affected by the breach of the communication API firm, with phone numbers and SMS verification codes potentially exposed to the hackers.

Signal said Twilio informed it of the breach at the time, and a subsequent investigation revealed the hackers gained access to Twilio’s customer support console.

“During the window when an attacker had access to Twilio’s customer support systems it was possible for them to attempt to register the phone numbers they accessed to another device using the SMS verification code,” said Signal in a public disclosure. “The attacker no longer has this access, and the attack has been shut down by Twilio.”

It added that the attackers specifically searched for three phone numbers out of the total 1,900 exposed, and the owner of one of these numbers has confirmed to Signal that their account was re-registered.

Re-registering a user’s account does not give the attacker access to any messages, profile information, or contact lists, Signal said, since this data is stored on a user’s device only.

“Your contact lists, profile information, whom you’ve blocked, and more can only be recovered with your Signal PIN which was not (and could not be) accessed as part of this incident,” it told customers.

By re-registering a user’s account, an attacker would be able to send and receive Signal messages from that phone number, however.

Signal is currently in the process of notifying all affected users by SMS and is de-registering Signal on all affected users’ devices. The 1,900 users will be required to re-register their accounts with their phone numbers on all devices they use.

This process began on Monday and Signal expects to complete it by the end of the day.

Since the action taken by Signal following Twilio’s breach, some users will have seen a banner in the app saying their account has been de-registered.

This may mean they were affected by the incident, it said, or it could indicate their account had been inactive for a long period.

Signal had previously prepared for this type of attack and is the reason it developed functionalities like Signal PINs and registration lock – a feature that prevents anyone else from registering an account with a user’s phone number.

This feature is not enabled by default, and Signal has recommended all users to enable it in the app’s settings menu, using a Signal PIN.

What happened in the Twilio breach?

Last week, several Twilio employees were targeted by socially engineered phishing attacks which resulted in some staff handing over passwords to the attackers.

SMS messages were sent with password reset links which directed targets to fake Twilio pages where attackers harvested the login credentials of some staff members.

Targets were addressed by their name, in some cases, and texts appeared to be sent from Twilio’s IT department, the company said.

It’s unclear who was behind the attack but it was thought the attackers were well-equipped given the thorough understanding of the company, able to link current and former employees with phone numbers and real names.

Twilio said it was aware that other companies were also targeted at the same time, one of which was revealed as Cloudflare.

The DDoS mitigation company confirmed it was also targeted by a phishing attack at around the same time as Twilio, but was not breached as a result due to the company-wide use of hardware-based, FIDO2-compliant multi-factor authentication (MFA) keys.