Signal’s reputation for secure messaging doesn’t make it completely invulnerable to incidents of hacking. The company has confirmed that a data breach at verification partner Twillio exposed the phone numbers and SMS codes of around 1,900 users. As TechCrunch observed, the intruder could have either used the information to identify signal users or to re-register their numbers on other devices.
The data has already been misused. The perpetrator looked up three phone numbers and re-registered a user’s account. Signal doesn’t store chat histories or contacts online, so the breach shouldn’t have revealed any other sensitive details.
Signal is taking steps to limit the damage. It will unregister the app on all devices associated with affected accounts and force users to register again. The team also recommended enabling a registration lock that prevents anyone from re-registering on other devices without providing a PIN code.
Twilio revealed the vulnerability on August 8th. The currently unidentified perpetrators used phishing scams to obtain credentials and access the accounts of 125 customers. Although it is not clear which other customers were affected, Twilio typically supplies large companies and organizations.
The attack increases pressure on Signal to join other encrypted messaging providers and move away from phone numbers that may be vulnerable to SIM swaps and other digit-based schemes. It’s also a reminder that systems are only as secure as their technology partners – a slip-up with a third-party is sometimes as dangerous as a direct attack.
All products recommended by Engadget are selected by our editorial team, independently of our parent company. Some of our stories contain affiliate links. If you buy something through one of these links, we may receive an affiliate commission.
https://www.engadget.com/signal-phone-number-data-breach-twilio-203312694.html?src=rss Signal says third-party data breach exposed 1,900 phone numbers