Signal says Twilio data breach resulted in 1900 users' phone numbers being exposed
A week ago, I wrote an article about a data breach that happened at Twilio. It appears that Signal was impacted by this security incident.
1900 Signal users' phone numbers exposed by Twilio data breach
The popular encrypted instant messaging service relies on a phone number to login, something which has drawn mixed reactions from users. A username and password system would be safer, in my opinion, as it would protect your privacy by not exposing your number to other users. But that's a different topic, let's focus on the issue at hand.
Since it uses a phone number login system, Signal relies on the SMS protocol to receive verification codes, and uses Twilio's servers for providing the codes. 2-factor authentication via SMS has long been criticized by security experts. It's not a very safe option, anyone who has access to your phone (and the SIM card with the registered number), can bypass the security layer. There are additional risks too, since SMS messages are not encrypted (plain text), the verification code can be intercepted by malware or hackers.
Using a local 2FA app like Aegis Authenticator for Android, or Raivo OTP for iOS, is a safer option, and in many ways the more convenient one too. Even Twilio's own 2FA app, Authy, is safe to use despite the parent company suffering a data breach, since the tokens are end-to-end encrypted before being uploaded to the cloud.
Signal says that the Twilio phishing attack exposed the phone numbers of around 1900 of the messaging service's users. While that may seem like a lot, the company says that it represents a very low percentage of its total users. Signal has reassured users that the data breach did not expose their personal data such as their message history, contact lists, profile information, blocked users, etc. So, how exactly are users affected?
Hackers could have gained access to the SMS verification code that was used to register Signal accounts. The attackers may have attempted to re-register a user's number on another device, or discovered that a number was tied to a Signal account. Twilio worked with service providers to shut down the attack vectors as soon as it discovered the attack and notified Signal about it, so while the threat has ended, there is a possibility that the exposed numbers were at risk before the issue had been resolved.
Signal says that the attacker searched for three numbers, and one of those users had reported that their account had been re-registered by someone else. That's why the company is reaching out to the other affected users, in order to prompt them to re-register Signal on their devices. You can refer to this support article for more details regarding the incident.
Meanwhile, Twilio has confirmed that approximately 125 of its users' data had been accessed by malicious actors for a limited time, and that it alerted them about it. The company states that there is no evidence that customer passwords, authentication tokens, or API keys were accessed by the attackers.
Signal is also encouraging users to enable registration lock on their Signal accounts to secure their accounts. You can do so from the Signal Settings (profile) > Account > Registration Lock. This will add an extra layer of security, i.e., the app will ask you to enter your Signal PIN to register the account again.Advertisement