Phone numbers of 1900 Signal users stolen in partner company hack

Criminals had access to the phone numbers of 1900 Signal users. The SMS verification code of some of these users was also seen. As a result, the account has been taken over for at least one user.

Attackers got on August 4 access to Twilio’s customer service console after they phish Twilio employees. Twilio provides phone number verification services to Signal, which also gave the attackers access to Signal data. The criminals were able to see the data of about 1900 users. They could only see phone numbers of users and of some also the SMS verification code.

Having access to the verification code gave the attackers the ability to register phone numbers on their own devices. In their attack, the criminals searched for the phone numbers of three specific users. One of these users actually had their account registered to a new device.

This user’s account has therefore been taken over, but Signal emphasizes that conversations, profile information and contact lists have not been viewed for this user and other users. This requires the Signal PIN, a PIN that was not stolen in this attack. The criminals were able to send and receive messages with that Signal account.

Signal has been informing the 1,900 affected users about the attack since August 15. These users receive a text message from the company. Affected users will also be logged out of all Signal devices and must log in again. The chat service points it out with Registration Lock have a security measure that requires users to enter their Signal PIN when registering a new device. This feature prevents users from taking over a Signal account with just the verification code and phone number.

In addition to Signal, two-step authentication app Authy was also affected by the Twilio attack. The data of 125 users has been stolen. It’s not clear what data was stolen, except that it doesn’t involve passwords, tokens, or API keys.

Sample text messages from the Twilio phishing attack