On the security advisory, Signal noted that Twilio provides phone number verification services to Signal, and suffered a phishing attack. In this incident, hackers may have accessed phone numbers & SMS registration codes for 1,900 Signal users. The signal is notifying these 1,900 users directly and prompting them to re-register Signal on their devices.
During the window when an attacker had access to Twilio’s customer support systems it was possible for them to attempt to register the phone numbers they accessed to another device using the SMS verification code. The attacker no longer has this access, and the attack has been shut down by Twilio. - Signal wrote
Signal assured users that their message history, contact lists, profile information, whom they'd blocked, and other personal data remain private and secure and were not affected. Message history is stored only on the user's device and Signal does not keep a copy of it. Users' contact lists, profile information, whom you’ve blocked, and more can only be recovered with users' Signal PIN which was not (and could not be) accessed as part of this incident.
However in the case that an attacker was able to re-register an account, they could send and receive Signal messages from that phone number.
In an investigation into the breach incident, Signal found the following -
- Approx 1900 users' phone numbers were potentially revealed as being registered to a Signal account.
- SMS verification code used to register with Signal was revealed.
Signal says that they don’t have the ability to directly fix the issues affecting the telecom attack surface, but they do have developed features like registration lock and Signal PINs to protect against.
Signal will be working with Twilio and potentially other providers to tighten up their security where it matters for their users, even then Signal strongly encourage users to enable registration lock into their account. Enabling registration lock with your Signal PIN adds an additional verification layer to the registration process. To Enable Registration Lock, go to Signal Settings (profile) > Account > Registration Lock (toggle to ON).
To Safeguard impacted users, Signal is taking the following measure
The signal is taking these steps to protect affected users:
- For all 1,900 of the users potentially affected, they will unregister Signal on all devices that the user is currently using (or, that an attacker registered them to) and require them to re-register Signal with their phone number on their preferred device.
- The signal is notifying all 1,900 potentially affected users directly via SMS. The SMS message that is sending to affected users reads: “This is from Signal Messenger. We’re reaching out so you can protect your Signal account. Open Signal and register again. More info: https://signal.org/smshelp"