“1,900 users are a very small percentage of Signal’s total users, meaning that most were not affected. We are notifying these users directly, and prompting them to re-register Signal on their devices,” Signal said in a press statement. However, the company said that all users can be assured that “their message history, contact lists, profile information, whom they’d blocked, and other personal data remain private and secure and were not affected.”
An attacker gained access to Twilio’s customer support console via phishing. This means the attackers messaged a customer support executive with a link, which when clicked gave them access to Twilio’s customer support systems. It was possible for them to attempt to register the phone numbers they accessed to another device using the SMS verification code.
For approximately 1,900 users, either their phone numbers were potentially revealed as being registered to a Signal account, or the SMS verification code used to register with Signal was revealed. According to Signal, the attacker no longer has this access, and the attack has been shut down by Twilio.
“Your contact lists, profile information, whom you’ve blocked, and more can only be recovered with your Signal PIN which was not (and could not be) accessed as part of this incident. However in the case that an attacker was able to re-register an account, they could send and receive Signal messages from that phone number,” Signal said in a blog post.
Signal is notifying all 1,900 potentially affected users directly via SMS. As of August 16, the company has already notified users and is requiring them to re-register Signal with their phone numbers.
The SMS message that Signal is sending to the affected user reads: “This is from Signal Messenger. We’re reaching out so you can protect your Signal account. Open Signal and register again. ” If you saw a banner when you opened Signal saying your device is no longer registered, you may have been impacted.
Users should enable registration lock for their Signal account. This includes using an optional registration lock with your Signal PIN, this adds an additional verification layer to the registration process. Here’s how you can do it:
#Go to Signal Settings (profile)
#Click on Account
#Set up ‘Registration Lock’
“We are in contact with Twilio and are actively working with them and other providers to improve their security practices. On the user side, we encourage users to enable registration lock,” Signal added.