Some Signal users hit by Twilio data breach

Messaging platform Signal was a huge beneficiary of rival WhatsApp’s woes early last year. When the Facebook-owned chat application introduced new terms in January 2021, it prompted a backlash from customers who started moving to rival free-to-use encrypted messaging apps such as Signal and Telegram.

Indeed, Signal and Telegram are generally regarded as more secure messaging services with greater privacy protections, even though every WhatsApp message is in fact protected by the same Signal encryption protocol.

However, this is after all the Internet, and it appears few services can remain entirely immune to some sort of privacy breach or attack.

The phone numbers of around 1,900 Signal users were potentially revealed following a phishing attack at Twilio.  (Source: Peter Kovač / Alamy Stock Photo)
The phone numbers of around 1,900 Signal users were potentially revealed following a phishing attack at Twilio.
(Source: Peter Kováč / Alamy Stock Photo)

Signal itself is facing such a moment. Recently Twilio, the company that provides Signal with phone number verification services, suffered a phishing attack.

Essentially, someone gained access to Twilio’s customer support console via phishing – an attack that also affected around 1,900 Signal users.

Insecure line

According to Signal’s own investigations, either the phone numbers or SMS verification codes of these users were potentially revealed. The company said it is notifying all 1,900 potentially affected users directly via SMS and will also require those customers to re-register with Signal.

The messaging service insists that users’ private data and information "remain private and secure and were not affected".

"Signal is designed to keep your data in your hands rather than ours," it said.

Want to know more about security? Check out our dedicated security channel here on
Light Reading.

"And this information certainly is not available to Twilio, or via the access temporarily gained by Twilio’s attackers."

However, it warns that in the case that an attacker was able to re-register an account during the time that the Twilio attack was active, they could send and receive messages from that phone number on Signal.

Users are now being encouraged to enable registration lock for their Signal account to gain additional protection. In the meantime, Signal says it is "actively working" with Twilio and other providers to improve their security practices.

Related posts:

— Anne Morris, contributing editor, special to Light Reading

Be the first to post a comment regarding this story.
Sign In