Signal says 1,900 users’ phone numbers exposed by Twilio breach

End-to-end encrypted messaging app Signal says attackers accessed the phone numbers and SMS verification codes for almost 2,000 users as part of the breach at communications giant Twilio last week.

Twilio, which provides phone number verification services to Signal, said on August 8 that malicious actors accessed the data of 125 customers after successfully phishing multiple employees. Twilio did not say who the customers were, but they are likely to include large organizations after Signal on Monday confirmed that it was one of those victims.

Signal said in a blog post Monday that it would notify about 1,900 users whose phone numbers or SMS verification codes were stolen when attackers gained access to Twilio’s customer support console.

“For about 1,900 users, an attacker could have attempted to re-register their number to another device or learned that their number was registered to Signal,” the messaging giant said. “Among the 1,900 phone numbers, the attacker explicitly searched for three numbers, and we’ve received a report from one of those three users that their account was re-registered.”

While this didn’t give the attacker access to message history, which Signal doesn’t store, or contact lists and profile information, which is protected by the user’s security PIN, Signal said “in the case that an attacker was able to re-register an account, they could send and receive Signal messages from that phone number.”

For those affected, the company says it will unregister Signal on all devices that the user is currently using — or that an attacker registered them to — and will require users to re-register Signal with their phone number on their preferred device. Signal also advises users to switch on registration lock, a feature that prevents an account from being re-registered on another device without the user’s security PIN.

Although the Twilio breach impacts a fraction of Signal’s 40 million-plus users, users have long bemoaned how Signal — considered one of the most secure messaging apps — requires users to register a phone number to create an account. Other end-to-end encryption apps, such as Wire, allow users to sign up with a username. While Signal has slowly moved to end its reliance on phone numbers, such as with the introduction of Signal PINs in 2020, this incident will likely reignite calls for it to move faster.