Signal says 1,900 users’ phone numbers exposed by Twilio breach – TechCrunch

End-to-end encrypted messaging app Signal says attackers accessed the phone numbers and SMS verification codes for almost 2,000 users as part of the breach at communications giant Twilio last week.
Twilio, which provides phone number verification services to Signal, said on August 8 that malicious actors accessed the data of 125 customers after successfully phishing multiple employees. Twilio did not say who the customers were, but they are likely to include large organizations after Signal on Monday confirmed that it was one of those victims.
Signal said in a blog post Monday that it would notify about 1,900 users whose phone numbers or SMS verification codes were stolen when attackers gained access to Twilio’s customer support console.
“For about 1,900 users, an attacker could have attempted to re-register their number to another device or learned that their number was registered to Signal,” the messaging giant said. “Among the 1,900 phone numbers, the attacker explicitly searched for three numbers, and we’ve received a report from one of those three users that their account was re-registered.”
While this didn’t give the attacker access to message history, which Signal doesn’t store, or contact lists and profile information, which is protected by the user’s security PIN, Signal said “in the case that an attacker was able to re-register an account, they could send and receive Signal messages from that phone number.”
For those affected, the company says it will unregister Signal on all devices that the user is currently using — or that an attacker registered them to — and will require users to re-register Signal with their phone number on their preferred device. Signal also advises users to switch on registration lock, a feature that prevents an account from being re-registered on another device without the user’s security PIN.
Although the Twilio breach impacts a fraction of Signal’s 40 million-plus users, users have long bemoaned how Signal — considered one of the most secure messaging apps — requires users to register a phone number to create an account. Other end-to-end encryption apps, such as Wire, allow users to sign up with a username. While Signal has slowly moved to end its reliance on phone numbers, such as with the introduction of Signal PINs in 2020, this incident will likely reignite calls for it to move faster.
Cybersecurity 101: How to choose and use an encrypted messaging app

source

Share:

More Posts

Market Research

Pulse Surveys

Turn feedback into action

Our survey platform makes it easy to measure and understand feedback so you can drive growth and innovation

Pulse Handshak

Pulse Handshak

Collaborative online survey tool for the market research industry. Remote assisted surveying just like face-to-face interviews. Here interviewers can talk to the respondent over the web-console without the need for any other communication channel and share the same Q're with responses and click actions.

Pulse FE

Pulse FE

Pulse Field Expert or Pulse FE is the main platform for both offline and online survey at softofficepro.com. It is robust and used by hundreds of clients over tens of years with millions of responses. Do it once Q're and deploy on both offline devices (android) and online forms makes it a great cost effective platform for any kind of responses

Pulse Ultimate

Pulse Ultimate

Pulse Ultimate is targeted for tracking studies and retail audits. An offline survey system offering extreme field control including processes like data quality check, back-check, rework, comparison with previous wave data etc. helps to get the best results on a day-to-day basis

Pulse LS

Pulse LS

Use a managed Limesurvey and our expertise for creating complex forms and token based user management. Use optional mailing system to send survey invitation to each participant and track progress of the response status. Industry standard SPSS / R output supported