1,900 Signal customers’ phone numbers exposed by Twilio phishing

Enlarge / Signal’s security-minded messaging app is coping with a third-party phishing try that exposed a small variety of customers’ phone numbers.

Getty Images

A profitable phishing assault at SMS companies firm Twilio could have exposed the phone numbers of roughly 1,900 customers of the safe messaging app Signal—however that is concerning the extent of the breach, says Signal, noting that no additional person information might be accessed.

In a Twitter thread and help doc, Signal states {that a} current profitable (and deeply resourced) phishing assault on Twilio allowed entry to the phone numbers linked with 1,900 customers. That’s “a very small percentage of Signal’s total users,” Signal writes, and all 1,900 affected customers will probably be notified (through SMS) to re-register their units. Signal, like many app corporations, makes use of Twilio to ship SMS verification codes to customers registering their Signal app.

With momentary entry to Twilio’s buyer help console, attackers might have probably used the verification codes despatched by Twilio to activate Signal on one other system and thereby ship or obtain new Signal messages. Or an attacker might affirm that these 1,900 phone numbers have been really registered to Signal units.


No different information might be accessed, largely due to Signal’s design. Message historical past is saved totally on person units. Contact and block lists, profile particulars, and different person information require a Signal PIN to entry. And Signal is asking customers to allow registration lock, which prevents Signal entry on new units till the person’s PIN is accurately entered.

“The kind of telecom attack suffered by Twilio is a vulnerability that Signal developed features like registration lock and Signal PINs to protect against,” Signal’s help doc reads. The messaging app notes that whereas Signal would not “have the ability to directly fix the issues affecting the telecom ecosystem,” it would work with Twilio and different suppliers “to tighten up their security where it matters for our users.”

Signal PINs have been launched in May 2020, partly to de-emphasize the reliance on phone numbers as a major person ID. This newest incident could present one other nudge to de-couple Signal’s sturdy safety from the SMS ecosystem, the place low-cost, efficient spoofing and broad community hacks stay all too frequent.


Please enter your comment!
Please enter your name here

Popular Posts

Market needs a break to rise, some possible buys

Every weekday the CNBC Investing Club with Jim Cramer holds a "Morning Meeting" livestream at 10:20 a.m. ET. Here's a recap of Monday's key...

‘Unequal partnership’ as Xi, Putin meet, says prof

China holds the "dominant position" in its relationship with Russia, and President Xi Jinping is now not ready for Moscow to "act as it...

Top Wall Street analysts like Apple & Nvidia

Apple CEO Tim Cook presents the brand new iPhone 14 at an Apple occasion at their headquarters in Cupertino, California, U.S. September 7, 2022. Carlos...

Bitcoin drops 5% to its lowest level in 3 months as risk assets continue to get crushed

Ether has massively outperformed bitcoin since each cryptocurrencies shaped a backside in June 2022. Ether's superior positive factors have come as traders anticipate a...