A successful phishing attack at the SMS service company may have exposed the phone numbers of about 1,900 users of the secure messaging app Signal – but that’s about the extent of the breach, Signal said. know, note that no more user data can be accessed.
In one Twitter thread and supporting documentThe signal says that a successful (and well-resourced) phishing attack on Twilio allows access to phone numbers associated with 1,900 users. That’s “a very small percentage of Signal’s total users,” Signal wrote, and all 1,900 affected users will be notified (via SMS) to re-register their devices. Signal, like many app companies, uses Twilio to send SMS verification codes to users who sign up for their Signal app.
With temporary access to Twilio’s customer support dashboard, attackers could potentially use the verification code sent by Twilio to activate Signal on another device and thereby send or receive messages. New Signal message. Or an attacker could confirm that these 1,900 phone numbers were indeed registered to the Signal device.
No other data can be accessed, due in large part to Signal’s design. Message history is stored entirely on the user’s device. Contacts and blocks, profile details, and other user data require a Signal PIN to access. And Signal requires users enable registry keyprevent Signal access on new devices until the user’s PIN is entered correctly.
“The type of telecom attack that Twilio is subject to is a vulnerability that Signal has developed features like Signal’s registration key and PIN to protect against,” Signal’s support document says. The messaging app notes that while Signal is not “capable of directly fixing issues affecting the telecommunications ecosystem,” it will work with Twilio and other providers “to tighten security.” their privacy in places that are important to our users.”
Signal PIN introduced in May 2020, in part to reduce reliance on the phone number as a primary user ID. This latest incident may provide another impetus to remove Signal’s robust security capabilities from the SMS ecosystem, where effective, cheap forgery and wide network hack still too popular.