Signal Data Breach Affects 1,900 Users After Twilio Phishing Attack

By Ava McKinneyOnline Safety

Signal Reports Data Breach Impacting 1,900 Users

The private messaging app Signal has reported a data breach that exposed the mobile phone numbers and verification codes of 1,900 users. The incident occurred as a result of a phishing attack on Twilio, the company that provides phone number verification services for Signal. This information was shared in a post on Signal’s official blog.

According to Signal, the breach theoretically allowed attackers to re-register affected accounts on their own devices and potentially send messages as those users. However, Signal believes that the cybercriminals were targeting just three specific phone numbers.

The company emphasized that 1,900 users represent “a very small percentage of Signal’s total user base,” which, according to TechCrunch, is around 40 million users. For all affected users, Signal has deactivated registration on their current devices, requiring them to re-register. SMS notifications have been sent to inform those impacted.

How to Know If You Were Affected

If you see a banner in Signal stating that your device is no longer registered, it may be due to this breach. However, there are other possible reasons for deactivation, such as a long period of inactivity.

No Access to Message History or Contacts

Signal clarified that the breach did not give attackers access to message history, profile information, or contact lists:

  • Message history is stored only on your device, and Signal does not keep a copy.
  • Your contact lists and profile information can only be restored using your Signal PIN, which was not (and could not be) accessed during this incident.

However, if attackers managed to re-register an account, they could send and receive messages from the compromised phone number.

Signal’s Recommendations

Signal now recommends that all users enable Registration Lock for their accounts. This adds an extra layer of verification during the registration process. To enable Registration Lock, go to Settings (profile) > Account > Registration Lock in the Signal app.

Expert Commentary

Some experts have commented that true privacy is difficult to achieve with centralized services, especially those that use phone numbers for identification. Vadim Misbakh-Solovyov, a technical specialist at Roskomsvoboda, noted, “The words ‘centralization’ and ‘privacy’ in the same sentence are an oxymoron.”

Leave a Reply