Instant messaging service Signal has announced that around 1,900 users may have had their phone numbers revealed to hackers due to a phishing attack on communications API developer Twilio. Twilio provides Signal with phone number verification services.
During the attack, a hacker gained unauthorized access to Twilio’s customer support console, allowing them to view phone numbers that were registered to a Signal account and the SMS verification code used to register it.
The bad actor then may have attempted to re-register their number to a different device or linked their number with a Signal account.
Signal noted that during the hack, “the attacker explicitly searched for three numbers” and the company has “received a report from one of those three users that their account was re-registered”.
The hacker did not gain access to profile information, contact lists or message history.
Signal said in a statement that it will be reaching out to the 1,900 users affected directly via SMS, which it predicts will be completed by 16 August. The company urged customers to enable the apps registration lock feature to protect against potential future attacks.