Signal trapped by his partner Twilio
Indeed, through an official blog post, Signal has decided to play the most absolute transparency, confirming that Twilio, the company that provides Signal with phone number verification services, suffered an attack from phishing. The company is quick to explain, however, that message history, contact lists, profile information, blocked people, and other personal data remain private and secure and have not been affected. Phew!
In total, Signal indicates that approximately 1,900 users are likely to have seen their telephone number escape into the wild, the hacker having been able to take advantage of the opportunity to reallocate certain numbers. “This attack was quickly stopped by Twilio. 1,900 users is a very small percentage of Signal’s total number of users, meaning most were unaffected” reassures the company.
Signal indicates that the affected users were all contacted by text between August 15 and 16, and are invited to re-register on the platform. Of the 1,900 phone numbers affected, the attacker explicitly searched for three numbers, and Signal says it received a report from one of those three users that their account was reassigned.
Signal strongly encourages its users to enable record locking (or registration lock) to maximize the protection of their account. For its part, Signal says it is actively working with Twilio and other vendors to improve their respective security practices.