After the Twilio hack, this is what Signal users need to know

Twilio, which provides the Signal application with services to send verification messages to users, has been subjected to a major breach that is suspected to have affected a number of Signal users. To clarify what happened, Signal published an article to clarify the circumstances of the accident.

Twilio, which provides phone number verification services to the Signal app, was recently hit by a phishing attack.

In the face of this attack, the Signal application published an article on "What the application user should know about the attack."

The app reassured users that their message history, contact lists, profile information, people they've blocked, and other personal data remain private, secure, and unaffected.

"For about 1,900 users, the attacker tried to re-register their number on another device or knew that their number was registered to Signal. This attack has since been stopped by Twilio," the app says.

According to Signal, 1,900 users represent a very small percentage of the total Signal users, which means that most users are not affected.

Signal is notifying these 1,900 users directly, and is requesting that the Signal app be re-registered on their devices. In its message to users, the company says, “If you receive an SMS from Signal containing a link to this support article, please follow these steps:

Open the Signal app on your phone and register your Signal account again if the app asks you to do so.
To better protect your account, we highly recommend enabling logging lock in the app settings.
We created this feature to protect users from threats such as the Twilio attack."

What happened exactly?

"Twilio, the company that provides phone number verification services to Signal, has informed us that it has been subjected to a phishing attack. We have investigated the incident," Signal said.

“An attacker gained access to Twilio’s customer support console via phishing. For about 1,900 users, this means that either their phone numbers were revealed as registered to a Signal account or the SMS verification code used to sign up for Signal was revealed. Signal".

"During the window in which the attacker gained access to Twilio's customer support systems, it was possible for him to try to log the phone numbers he accessed on another device using the SMS verification code. The attacker no longer had this access, and the attack was stopped by Twilio," she says. ".

The company says that "of the 1,900 phone numbers, the attacker explicitly searched for 3 numbers, and we received a report from one of these three users that their account was re-registered."

"Importantly, this did not give the attacker access to any message history, profile information, or contact lists," Signal explains. "The message history is only stored on your device and Signal does not keep a copy of it."

"Your contact lists, profile information, people you've blocked, and more can only be retrieved using your Signal Pin (PIN) that was not (and cannot) be accessed as part of this incident."

However, if the attacker manages to re-register an account, he can send and receive Signal messages from that phone number.

We are taking these steps to protect affected users

Signal says that "for all 1,900 potentially affected users, we will deregister Signal on all devices the user is currently using (or an attacker has registered on) and will require them to re-register Signal with their phone number on their preferred devices."

The company is notifying all 1,900 potentially affected users directly via SMS.

As of August 15, Signal will notify users and ask them to re-register Signal with their phone numbers.

It expects to complete this step by August 16.

Signal explains that the type of communications attack Twilio suffered is a vulnerability.

Signal has developed features such as Registry Lock and Signal PINs to protect against them.

The company strongly encourages users to enable registry lock.

Signal acknowledges that while it cannot directly fix issues affecting the communications system, it will work with Twilio and possibly other providers to tighten their security measures "wherever this is important to our users," she says.

Did this affect me?

Signal says that based on the information it received from Twilio, “it is possible that 1,900 users have been affected. .

The SMS that Signal sends to these users reads, “This message is from Messenger. We are contacting you so you can protect your Signal account. Open the Signal app and sign up again. More information https://signal.org/smshelp.

If you see this message when you open the Signal app that your device is no longer registered, you may have been affected, but there could be other reasons why you are not registered, such as not being in the system for a long time.

Twilio, which provides phone number verification services to Signal, says:

It has been subjected to a phishing attack (Reuters)

Was my personal data accessed or hacked?

Signal says that no personal data of users has been accessed, the Signal app is designed to keep your data in your hands, not in the company's hands.

Signal does not have access to your message history, contact list, profile information, who you've blocked, and other personal data, according to Signal's statement.

Signal asserts that this information is not available to Twilio, and is temporarily not available through the hack obtained by Twilio's attackers.

Is someone I'm chatting with affected?

Signal says that given the small number of people who have experienced this incident, it is unlikely that one of the people communicating with users was affected.

However, Signal believes that if you are concerned about whether a contact has been affected, you can reach out to them and ask if they have received an SMS notification from Signal asking them to re-register their account and directing them to more information about the incident.

What should I do?

Signal encourages users to enable registration lock for their Signal account.

Using an optional registration lock with your Signal token adds an extra layer of verification to the registration process.

To do this, the user has to go to the “Profile” settings, then the account, and choose “Lock registration”.

What does Signal do to prevent this from happening again?

Signal says they are in contact with Twilio, and are actively working with them and other service providers to improve their security practices.

Regarding the user, the company encourages users to enable registry lock.