Twilio, which provides phone number verification services to the Signal app, was recently hit by a phishing attack. In light of this attack, the Signal app published an article on “What the app user should know about the attack.”
The app has assured users that their message history, contact lists, profile information, people they have blocked and other personal data remains private, safe and untouched.
“For approximately 1,900 users, the attacker attempted to re-register their number on another device or knew their number was registered with Signal. This attack has since been stopped by Twilio,” the app says.
According to Signal, 1,900 users represent a very small percentage of the total Signal users, meaning that most users are not affected.
Signal is notifying these 1,900 users directly, and requesting that the Signal app be re-registered on their devices. In its message to users, the company says: “If you receive an SMS from Signal that contains a link to this support article, please follow these steps:
- Open the Signal app on your phone and re-register your Signal account if the app prompts you to do so.
- To better protect your account, we strongly recommend that you enable login lock in the app settings. We created this feature to protect users from threats like the Twilio attack.”
What exactly happened?
“Twilio, the company that provides phone number verification services to Signal, informed us that it had been subjected to a phishing attack. We are investigating the incident,” Signal said.
“An attacker gained access to Twilio’s customer service console through phishing. For approximately 1,900 users, this meant that either their phone numbers were revealed as registered to a Signal account or the SMS verification code used to log in to Signal, was revealed. Signal”.
“During the window in which the attacker gained access to Twilio’s customer support systems, it was possible for him to log the phone numbers he obtained on another device using the SMS verification code. The attacker no longer has this access didn’t have, and the attack was prevented by Twilio,” she says. “.
The company says that “of the 1,900 phone numbers, the attacker specifically searched for 3 numbers, and we received a report from one of these three users that their account was re-registered.”
“Importantly, this did not give the attacker access to any message history, profile information or contact lists,” Signal explains. “The message history is only stored on your device and Signal does not keep a copy of it.”
“Your contact lists, profile information, people you’ve blocked, and more can only be recovered with your Signal PIN (PIN) which cannot (and cannot) be accessed as part of this incident.”
However, if the attacker manages to re-register an account, he can send and receive Signal messages from that phone number.
We are taking these steps to protect affected users
Signal says that “for all 1,900 potentially affected users, we will deregister Signal on all devices the user is currently using (or on which an attacker has registered) and will require them to re-register Signal with their phone number on their preferred devices.”
The company is notifying all 1,900 potentially affected users directly via SMS.
Starting August 15, Signal will notify users and ask them to re-register Signal with their phone numbers. He expects to complete this move by August 16.
Signal explains that the type of communications attack Twilio suffered is a vulnerability. Signal has developed features such as registry lock and signal PINs to protect against this. The company strongly encourages users to enable Registry Lock.
Signal acknowledges that while it can’t fix issues that directly affect the communications system, it will work with Twilio and possibly other vendors to tighten their security measures “wherever it’s important to our users,” she says.
Did it affect me?
Signal says based on the information it received from Twilio, “it is possible that 1,900 users were affected. .
The SMS that Signal sends to these users reads: “This message is from Signal Messenger. We are contacting you so that you can protect your Signal account. Open the Signal app and sign in again.” More information https://signal.org/ smshelp.
If you see this message when you open the Signal app that your device is no longer registered, you may be affected, but there may be other reasons why you are not registered, such as being out of the system for a long time not to be.
Has my personal data been accessed or hacked?
Signal says that no personal data is collected from users, the Signal app is designed to keep your data in your hands, not the company’s.
Signal does not have access to your message history, contact list, profile information, who you have blocked and other personal data, according to Signal’s statement.
Signal claims that this information is not available to Twilio, and is temporarily unavailable due to the hack obtained by Twilio’s attackers.
Was someone I was talking to affected?
Signal says that given the small number of people who experienced this incident, it is unlikely that any of the people interacting with users were affected. However, Signal believes that if you are concerned about whether a contact has been affected, you can reach out to them and ask if they received an SMS notification from Signal asking them to re-register their account and directing them to more information about the incident.
What should I do?
Signal encourages users to enable registration lock for their Signal account. Using an optional registration lock with your signal token adds an extra layer of authentication to the registration process.
To do this, the user must go to the “Profile” settings, then the account, and select “Close registration”.
What is Signal doing to prevent this from happening again?
Signal says it is in contact with Twilio, and is actively working with them and other service providers to improve their security practices. As for users, the company encourages them to enable registry lock.