



Enlarge/Signal’s security-focused messaging app combats a third-party phishing attack that exposed the phone numbers of a small number of users.

Getty Images

A successful phishing attack on SMS service company Twilio may have exposed the phone numbers of about 1,900 users of the secure messaging app Signal, but that’s just the extent of the breach, Signal said, adding that it has not done much more. It points out that user data could not be accessed.

In a Twitter thread and supporting documentation, Signal said that a recent successful (and resourceful) phishing attack against Twilio allowed access to the phone numbers associated with 1,900 users. This is a “small fraction of Signal’s total user count” and will notify (via SMS) all of her 1,900 affected users to re-enroll their devices. Signal, like many app companies, uses Twilio to send users who have registered the Signal app her SMS verification code.

With temporary access to Twilio’s customer support console, the attacker could have used a verification code sent by Twilio to activate Signal on another device, thereby sending and receiving new Signal messages. Alternatively, an attacker could verify that those 1,900 phone numbers are in fact registered to her Signal device.

No other data was accessible, mainly due to Signal’s design. All message history is stored on the user’s device. A Signal PIN is required to access your contact and block lists, profile details, and other user data. Signal also asks users to enable Registration Lock. This will prevent the user from accessing his Signal on the new device until his PIN is entered correctly.

“The type of telecom attack Twilio suffered was a vulnerability in Signal’s developed protections, such as Registration Lock and Signal PIN,” a Signal support document states. The messaging app said Signal “does not have the ability to directly fix issues impacting the communications ecosystem,” but that it is working with Twilio and other providers to “strengthen security that is important to its users.” increase.

Signal PIN was introduced in May 2020. This is partly to downplay the reliance on phone numbers as primary user identities. This latest incident could be another impetus for separating Signal’s strong security from the SMS ecosystem.

