Signal says Twilio data breach resulted in 1900 users' phone numbers being exposed

Aug 16, 2022

A week ago, I wrote an article about a data breach that happened at Twilio. It appears that Signal was impacted by this security incident.

Signal says Twilio data breach resulted in 1900 users' phone numbers being exposed

1900 Signal users' phone numbers exposed by Twilio data breach

The popular encrypted instant messaging service relies on a phone number to login, something which has drawn mixed reactions from users. A username and password system would be safer, in my opinion, as it would protect your privacy by not exposing your number to other users. But that's a different topic, let's focus on the issue at hand.

Since it uses a phone number login system, Signal relies on the SMS protocol to receive verification codes, and uses Twilio's servers for providing the codes. 2-factor authentication via SMS has long been criticized by security experts. It's not a very safe option, anyone who has access to your phone (and the SIM card with the registered number), can bypass the security layer. There are additional risks too, since SMS messages are not encrypted (plain text), the verification code can be intercepted by malware or hackers.

Using a local 2FA app like Aegis Authenticator for Android, or Raivo OTP for iOS, is a safer option, and in many ways the more convenient one too. Even Twilio's own 2FA app, Authy, is safe to use despite the parent company suffering a data breach, since the tokens are end-to-end encrypted before being uploaded to the cloud.

Signal says that the Twilio phishing attack exposed the phone numbers of around 1900 of the messaging service's users. While that may seem like a lot, the company says that it represents a very low percentage of its total users. Signal has reassured users that the data breach did not expose their personal data such as their message history, contact lists, profile information, blocked users, etc. So, how exactly are users affected?

Hackers could have gained access to the SMS verification code that was used to register Signal accounts. The attackers may have attempted to re-register a user's number on another device, or discovered that a number was tied to a Signal account. Twilio worked with service providers to shut down the attack vectors as soon as it discovered the attack and notified Signal about it, so while the threat has ended, there is a possibility that the exposed numbers were at risk before the issue had been resolved.

Signal says that the attacker searched for three numbers, and one of those users had reported that their account had been re-registered by someone else. That's why the company is reaching out to the other affected users, in order to prompt them to re-register Signal on their devices. You can refer to this support article for more details regarding the incident.

Meanwhile, Twilio has confirmed that approximately 125 of its users' data had been accessed by malicious actors for a limited time, and that it alerted them about it. The company states that there is no evidence that customer passwords, authentication tokens, or API keys were accessed by the attackers.

Signal Registration Lock

Signal is also encouraging users to enable registration lock on their Signal accounts to secure their accounts. You can do so from the Signal Settings (profile) > Account > Registration Lock. This will add an extra layer of security, i.e., the app will ask you to enter your Signal PIN to register the account again.

Signal says Twilio data breach resulted in 1900 users' phone numbers being exposed
Article Name
Signal says Twilio data breach resulted in 1900 users' phone numbers being exposed
Instant messaging service Signal says that 1900 users' phone numbers were exposed because of the Twilio data breach.
Ghacks Technology News

Tutorials & Tips

Previous Post: «
Next Post: «


  1. bruh said on August 18, 2023 at 1:25 pm

    Uhh, this has already been possible – I am not sure how but remember my brother telling me about it. I’m not a whatsapp user so not sure of the specifics, but something about sending the image as a file and somehow bypassing the default compression settings that are applied to inbound photos.

    He has also used this to share movies to whatsapp groups, and files 1Gb+.

    Like I said, I never used whatsapp, but I know 100% this isn’t a “brand new feature”, my brother literally showed me him doing it, like… 5 months ago?

  2. 💥 said on August 18, 2023 at 3:55 pm

    Martin, what happened to those: 12 Comments ( Is there a specific justifiable reason why they were deleted?

    Hmm, it looks like the gHacks website database is faulty, and not populating threads with their relevant cosponsoring posts.

  3. 45 RPM said on August 19, 2023 at 6:29 pm

    The page on ghacks this is on represents the best of why it has become so worthless, fill of click-bait junk that it’s about to be deleted from my ‘daily reads’.

    It’s really like “Press Release as re-written by some d*ck for clicks…poorly.” And the subjects are laughable. Can’t wait for “How to search for files on Windows”.

    1. owl said on August 20, 2023 at 12:51 am

      > The page on ghacks this is on represents the best of why it has become so worthless, fill of click-bait junk…

      Sadly, I have to agree.

      Only Martin and Ashwin are worth subscribing to.
      Especially Emre Çitak and Shaun are the worst ones.

      If intended “Clickbait”, it would mark the end of Ghacks Technology News.
      Ghacks doesn’t need crappy clickbaits. Clearly separate articles from newer authors (perhaps AIs and external sales person or external advertising man) as just “Advertisements”!

      We, the subscribers of Ghacks, urge Martin to make a decision.

  4. chessandonions said on August 20, 2023 at 12:40 am

    because nevermore wants to “monetize” on every aspect of human life…

  5. Frank Rizzo said on August 20, 2023 at 11:52 pm

    “Threads” is like the Walmart of Social Media.

  6. Ashray said on August 21, 2023 at 4:06 pm

    How hard can it be to clone a twitter version of that as well? They’re slow.

  7. Paul(us) said on August 21, 2023 at 5:16 pm

    Yes, why not mention how large the HD files can be?
    Why, not mention what version of WhatsApp is needed?
    These omissions make the article feel so bare. If not complete.

    1. Paul(us) said on August 21, 2023 at 5:18 pm

      Sorry posted on the wrong page.

  8. Marc said on August 21, 2023 at 6:00 pm

    such a long article for such a simple matter. Worthless article ! waste of time

  9. plusminus_ said on August 21, 2023 at 7:54 pm

    I already do this by attaching them via the ‘Document’ option.

  10. John G. said on August 21, 2023 at 11:43 pm

    I don’t know what’s going on here at Ghacks but it’s obvious that something is broken, comments are being mixed whatever the article, I am unable to find some of my later posts neither. :S

  11. Tom Hawack said on August 23, 2023 at 2:28 pm

    Quoting the article,
    “As users gain popularity, the value of their tokens may increase, allowing investors to reap rewards.”

    Besides, beyond the thrill and privacy risks or not, the point is to know how you gain popularity, be it on social sites as everywhere in life. Is it by being authentic, by remaining faithful to ourselves or is it to have this particular skill which is to understand what a majority likes, just like politicians, those who’d deny to the maximum extent compatible with their ideological partnership, in order to grab as many of the voters they can?

    I see the very concept of this as unhealthy, propagating what is already an increasing flaw : the quest for fame. I won’t be the only one to count himself out, definitely.

    1. Tom Hawack said on August 23, 2023 at 2:34 pm

      @John G. is right : my comment was posted on [] and it appears there but as well here at []

      This has been lasting for several days. Fix it or at least provide some explanations if you don’t mind.

  12. Tom said on August 24, 2023 at 11:53 am

    > Google Chrome is following in Safari’s footsteps by introducing a new feature that allows users to move the Chrome address bar to the bottom of the screen, enhancing user accessibility and interaction.

    Firefox did this long before Safari.

  13. Mavoy said on September 16, 2023 at 2:17 pm

    Basically they’ll do anything except fair royalties.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.