1,900 Signal users’ phone numbers exposed by Twilio phishing

  News
image_pdfimage_print
Signal's security-minded messaging app is dealing with a third-party phishing attempt that exposed a small number of users' phone numbers.
Enlarge / Signal’s security-minded messaging app is dealing with a third-party phishing attempt that exposed a small number of users’ phone numbers.
Getty Images

A successful phishing attack at SMS services company Twilio may have exposed the phone numbers of roughly 1,900 users of the secure messaging app Signal—but that’s about the extent of the breach, says Signal, noting that no further user data could be accessed.

In a Twitter thread and support document, Signal states that a recent successful (and deeply resourced) phishing attack on Twilio allowed access to the phone numbers linked with 1,900 users. That’s “a very small percentage of Signal’s total users,” Signal writes, and all 1,900 affected users will be notified (via SMS) to re-register their devices. Signal, like many app companies, uses Twilio to send SMS verification codes to users registering their Signal app.

With momentary access to Twilio’s customer support console, attackers could have potentially used the verification codes sent by Twilio to activate Signal on another device and thereby send or receive new Signal messages. Or an attacker could confirm that these 1,900 phone numbers were actually registered to Signal devices.

No other data could be accessed, in large part because of Signal’s design. Message history is stored entirely on user devices. Contact and block lists, profile details, and other user data require a Signal PIN to access. And Signal is asking users to enable registration lock, which prevents Signal access on new devices until the user’s PIN is correctly entered.

“The kind of telecom attack suffered by Twilio is a vulnerability that Signal developed features like registration lock and Signal PINs to protect against,” Signal’s support document reads. The messaging app notes that while Signal doesn’t “have the ability to directly fix the issues affecting the telecom ecosystem,” it will work with Twilio and other providers “to tighten up their security where it matters for our users.”

Signal PINs were introduced in May 2020, in part to de-emphasize the reliance on phone numbers as a primary user ID. This latest incident may provide another nudge to de-couple Signal’s strong security from the SMS ecosystem, where cheap, effective spoofing and broad network hacks remain all too common.

https://arstechnica.com/?p=1873800