Signal users hit by Twilio breach

The attacker behind the recent Twilio user data breach accessed phone numbers and SMS verification codes for 1,900 users of Signal, the popular secure messaging app. Signal Foundation, the organization behind the app, is using Twilio for phone number verification services, so the attackers could access the Signal user records via Twilio’s customer support console.

As reported by Twilio, the attacker gained initial access to Twilio’s customer support console via phishing. For approximately 1,900 users, either 1) their phone numbers were potentially revealed as being registered to a Signal account, or 2) the SMS verification code used to register with Signal was revealed.

During the window when an attacker had access to Twilio’s customer support systems it was possible for them to attempt to register the phone numbers they accessed to another device using the SMS verification code, thus being able to impersonate the user by sending and receiving Signal messages from the attacker's device.

The attack illustrates both the role of phishing and supply chain risks in modern attacks. Meanwhile, in order to prevent possible account takeovers, Signal has invited its users to enable registration lock (Signal Settings (profile) > Account > Registration Lock) for their account.

Learn more at Help Net Security.