The attacker involved in the latest Twilio data leak may have obtained phone numbers and SMS registration codes for 1,900 Signal users.
“Among the 1,900 phone numbers, the attacker explicitly searched for three numbers, and we’ve received a report from one of those three users that their account was re-registered,” the Signal team shared on Monday.
Twilio offers phone number verification services (through SMS) to Signal. Earlier this month, several Twilio employees were duped into receiving SMS messages that seemed to be from the company's IT department. The attacker gained access to information pertaining to 125 Twilio client accounts, including Signal's.
“During the window when an attacker had access to Twilio’s customer support systems it was possible for them to attempt to register the phone numbers they accessed to another device using the SMS verification code,” the Signal team explained.
As previously stated, the attacker was able to re-register at least one of the three numbers they specifically sought for.
“All users can rest assured that their message history, contact lists, profile information, whom they’d blocked, and other personal data remain private and secure and were not affected,” the team noted. That’s because that data is stored on the users’ device and Signal has no access to or copy of it. “And this information certainly is not available to Twilio, or via the access temporarily gained by Twilio’s attackers,” the team added.
Unfortunately, if the attacker was successful in re-registering an account, they might impersonate the user by sending and receiving Signal communications from that phone number.
Signal is immediately contacting potentially affected users of this vulnerability through SMS. The business has unregistered Signal on all devices that these 1,900 users are now using (or that an attacker has registered for them) and is requesting that they re-register Signal with their phone number on their preferred device.
Furthermore, they are advising them to enable registration lock (Signal Settings (profile) > Account > Registration Lock) for their account, which is a function that aids in the prevention of this sort of fraud.
The attacker was able to obtain either the phone numbers of 1,900 registered Signal users or the SMS verification code they used to register with Signal as a result of this.
“The kind of telecom attack suffered by Twilio is a vulnerability that Signal developed features like registration lock and Signal PINs to protect against. We strongly encourage users to enable the registration lock. While we don’t have the ability to directly fix the issues affecting the telecom ecosystem, we will be working with Twilio and potentially other providers to tighten up their security where it matters for our users,” the team concluded.