Phone numbers of near 1,900 Signal users had been exposed within the knowledge breach Twilio cloud communications firm suffered firstly of the month.
Twilio supplies phone quantity verification companies for Signal and final week disclosed that an attacker hacked its community on August 4.
The communications firm confirmed that knowledge belonging to 125 of its clients was exposed after the hackers gained entry to Twilio worker accounts by sending them textual content messages with malicious hyperlinks.
Hacker might register phone numbers to their machine
Signal at this time revealed an advisory for its users informing them how the cyberattack on Twilio impacted them:
“All users can relaxation assured that their message historical past, contact lists, profile info, whom they’d blocked, and different private knowledge stay non-public and safe and weren’t affected” – Signal
However for about 1,900 Signal users their phone numbers had been probably exposed to the Twilio attacker, who might have tried to register them to a different machine.
Signal’s investigation into the incident concluded that the hacker’s entry to Twilio’s buyer assist console both allowed them to see that the phone quantity was linked to a Signal account or revealed the SMS verification code for registering with the service.
“Throughout the window when an attacker had entry to Twilio’s buyer assist programs it was attainable for them to try to register the phone numbers they accessed to a different machine utilizing the SMS verification code. The attacker not has this entry, and the assault has been shut down by Twilio” – Signal
The encrypted on the spot messaging service says that from the 1,900 phone numbers, the attacker “explicitly searched” for 3 of them. One of these users reported that their account was re-registered.
Signal reassures users that the message historical past remained protected always as a result of it’s out there solely on the machine with no copy on the service’s servers.
Contact lists and profile info is protected by the Signal PIN, which couldn’t be accessed in the course of the Twilio knowledge breach.
SMS notifications on their method
The corporate warns that if an attacker re-registers an account to at least one of their units, they might be capable to ship and obtain Signal messages from that phone quantity.
All affected 1,900 Signal users can be unregistered on all units and they need to undergo the registering course of on their units.
Signal is now within the course of of sending SMS messages to affected users to allow them to know in regards to the danger and is anticipating to finish the method by tomorrow.
Impacted users ought to obtain a message studying: “That is from Signal Messenger. We’re reaching out so you may shield your Signal account. Open Signal and register once more. Extra data: https://sign.org/smshelp.”
When opening the Signal app, they need to additionally see a banner notifying them that their machine is not registered, in the event that they used the service not too long ago.
Signal encourages users to activate the registration lock choice, which permits recovering the profile, settings, contacts, and blocked users. The characteristic could be enabled or disabled solely from the machine and requires the Signal PIN as an extra verification layer.