Phone numbers and SMS codes of 1,900 Signal app users potentially leaked

Encrypted chat service Signal reports that 1,900 users may have had their phone number leaked due to hackers breaching Twilio, a service provider for the messaging app.

Additionally, the same users may have had the necessary SMS codes to register the Signal app on a leaked smartphone to hackers. In the wrong hands, the exposed information paves the way for an attacker “to save a Signal user’s phone number to a new device if that user hadn’t enabled the record lock,” or what amounts to a risk of diversion, the messaging app says.

“Of the 1,900 phone numbers, the attacker explicitly searched for three numbers, and we received a report from one of those three users that their account was re-registered,” Signal says.(Opens in a new window). “In the event that an attacker could re-register an account, they could send and receive Signal messages from that phone number.”

As a result, Signal is contacting the 1,900 affected users about the potential data exposure via an SMS message. Vulnerable users will also need to re-register the Signal app on their smartphones.

The potential breach is troubling because many Signal users expect the encrypted chat app to protect their privacy. The app is best known for offering end-to-end encryption, which means Signal itself can’t even read your messages. But the app has long required consumers to use a real phone number when signing up, which has been a point of criticism.

Signal uses Twilio’s SMS messaging to verify phone numbers for new sign-ups on the app. Twilio says hackers got in(Opens in a new window) the company’s computer systems earlier this month by successfully phishing some company employees. The resulting breach led to hackers temporarily gaining access to data belonging to 125 Twilio corporate customers before it was booted from the system.

In its defense, Signal points out that the Twilio breach only affected a small number of victims compared to its user base of around 40 million.(Opens in a new window). The app’s end-to-end encryption also ensured that attackers had no way of accessing users’ private messages.

Recommended by our editors

“All users can rest assured that their message history, contact lists, profile information, people they have blocked and other personal data remains private and secure and has not been affected” , wrote the messaging app.(Opens in a new window) on a support page.

Signal also encourages users to enable “Record Lock(Opens in a new window)” on the Signal app. This will effectively lock the Signal app to your smartphone, eliminating the risk of hijacking. “We created this feature to protect users against threats such as the Twilio attack,” the messaging service adds.

“While we don’t have the ability to directly address issues affecting the telecommunications ecosystem, we will work with Twilio and potentially other vendors to strengthen their security where it matters to our users,” Signal says.

SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.","first_published_at":"2021-09-30T21:22:09.000000Z","published_at":"2022-03-24T14:57:33.000000Z","last_published_at":"2022-03-24T14:57:28.000000Z","created_at":null,"updated_at":"2022-03-24T14:57:33.000000Z"})" x-show="showEmailSignUp()" class="rounded bg-gray-lightest text-center md:px-32 md:py-8 p-4 mt-8 container-xs">

Do you like what you read ?

Register for Security Watch newsletter for our top privacy and security stories delivered straight to your inbox.

This newsletter may contain advertisements, offers or affiliate links. Signing up for a newsletter indicates your consent to our Terms of Service and Privacy Policy. You can unsubscribe from newsletters at any time.

About Sandra A. Powell

Check Also

Meta sued for tap-dancing around Apple’s new app privacy rules

from private theater department Last year, Apple received wide coverage about how the company was …