Cross-platform encrypted instant messaging service Signal announced earlier today, August 15th, that a third-party data breach resulted in about 1,900 of its users’ phone numbers being exposed.
The application, which is touted as a secure, private and encrypted messaging service confirmed that a data breach at its verification partner Twillio caused phone numbers and SMS codes of about 1,900 users to be exposed.
Recently @twilio, which provides SMS verification services for Signal, suffered a phishing attack. Via Twilio, attackers may have accessed phone numbers & SMS registration codes for 1,900 Signal users. 1/
— Signal (@signalapp) August 15, 2022
According to the Mountain View, California-based company, “Message history, profile info, contact lists, & other data were NOT & could not be accessed.” However, the information the attackers got away with could theoretically allow them to register a Signal user’s phone number on a different device.
It is unlikely that a regular Signal user’s number would have been re-registered. According to the company, the attacker “explicitly searched for three numbers, and we’ve received a report from one of those three users that their account was re-registered,” said the company.
Signal is currently in the midst of contacting affected customers and asking them re-register their Signal number and enable registration lock. If you are a Signal user, you should do so preemptively.
The lock can be accessed by going to Signal Settings > Account > Registration Lock.