1,900 Signal Accounts Potentially Compromised in Twilio Phishing Hack

About 1,900 customers of Signal, the messaging app often considered the gold-standard of privateness, might have had their cellphone numbers or textual content verification codes accessed by hackers. The breach was a part of a phishing assault on the communications firm, Twilio, which gives Signal’s SMS verification service.

From Signal’s Monday announcement acknowledging the info breach:

• An attacker gained entry to Twilio’s customer support console via phishing. For roughly 1,900 customers, both 1) their cellphone numbers have been doubtlessly revealed as being registered to a Signal account, or 2) the SMS verification code used to register with Signal was revealed.
• During the window when an attacker had entry to Twilio’s buyer help techniques it was attainable for them to try to register the cellphone numbers they accessed to a different gadget utilizing the SMS verification code. The attacker now not has this entry, and the assault has been shut down by Twilio.

Thankfully, the extent of the hack was comparatively small (for context: Signal has about 40 million month-to-month lively customers), and most of the current privateness measures that Signal employs appear to have finished their job defending consumer info. The firm emphasised that consumer message historical past, message content material, contacts, profile info, and different private knowledge hasn’t been impacted. Instead, the hack allowed attackers to entry and doubtlessly register new units to a small subset of Signal customers’ cellphone numbers.

“Message history is stored only on your device and Signal does not keep a copy of it. Your contact lists, profile information, whom you’ve blocked, and more can only be recovered with your Signal PIN which was not (and could not be) accessed as part of this incident. However in the case that an attacker was able to re-register an account, they could send and receive Signal messages from that phone number,” wrote the corporate.

Signal’s cellphone quantity registration requirement has lengthy been a sore spot for these notably involved with anonymity and safety. Many on-line discussions have advocated for a switch to usernames over cellphone numbers, out of fears of such a breach.

The main danger to victims of the hack is that they may very well be impersonated by the attackers by means of their Signal account, which gave the impression to be the supposed consequence in at the least three circumstances. The firm reported that the attacker particularly searched for 3 cellphone numbers, and that at the least a kind of customers had their account re-registered.

Signal mentioned that each one impacted customers can be notified immediately through SMS, starting immediately. Note: If you’re one of many 1,900, that message will learn: “This is from Signal Messenger. We’re reaching out so you can protect your Signal account. Open Signal and register again. More info: https://signal.org/smshelp.”

Those affected may even have all of their units unregistered from the platform, and might want to re-register their cellphone quantity with Signal on their most popular gadget.

The firm additional identified that each one customers can enable registration lock for his or her Signal account in settings. Registration lock prevents new units from registering on an current account with out verification by means of Signal PIN.

What occurred at Twilio?

Twilio first introduced that they had been attacked earlier this month, in an August 7 blog post. The firm gives communications instruments and providers to thousands of clients, together with Signal but in addition Facebook, Uber, Lyft, AirBnb, and Twitter. According to Twilio, staff have been focused with a phishing hyperlink and message asking them to reset their log-in info. When some employees fell for the ploy, attackers have been then in a position to make use of these worker credentials to entry inside techniques and buyer knowledge.

“We have identified approximately 125 Twilio customers whose data was accessed by malicious actors for a limited period of time, and we have notified all of them,” the corporate wrote in an replace on August 10. Clearly, Signal was a kind of impacted Twilio prospects, however the complete extent of the hack stays unknown.

And, based on Twilio, the phishing assault seems to be coordinated and ongoing. The comms big wrote that different corporations have additionally been topic to comparable tried hacks, and that phishing makes an attempt and messages proceed to roll in.