Signal, a popular encrypted messaging service, announced Monday that the phone numbers of around 1,900 users could have been compromised in a phishing attack.
The attack targeted Twilio, a San Francisco-based company that provides Signal with phone number verification services, in recent weeks.
In addition to finding out that these numbers are linked to Signal accounts, the attacker may have tried to re-register the numbers to other devices, using SMS verification codes, which were also revealed, according to a statement from the company.
Signal assures its users that their contact lists, message history, profile information, lists of blocked contacts, and other data have not been accessed.
Twilio stopped the cyber attack, blocking the attacker’s access, and an investigation into the breach is underway.
Signal is currently reaching out to potentially affected users through SMS notifications.
The attacker explicitly searched for three phone numbers registered with Signal. One of the three users contacted the company to report that their account was re-registered.
“Importantly, this did not give the attacker access to any message history, profile information, or contact lists. Message history is stored only on your device and Signal does not keep a copy of it,” Signal noted.
“Your contact lists, profile information, whom you’ve blocked, and more can only be recovered with your Signal PIN which was not (and could not be) accessed as part of this incident. However in the case that an attacker was able to re-register an account, they could send and receive Signal messages from that phone number,” added the statement.
To avoid security risks, Signal urges users to enable “registration lock” to put an additional verification layer to the registration process by going to Signal Settings > Account > Registration Lock.
I use Signal every day. #notesforFBI (Spoiler: they already know) https://t.co/KNy0xppsN0
— Edward Snowden (@Snowden) November 2, 2015
Signal is known as one of the most secure messaging services with its end-to-end encryption, which blocks third parties, including Signal itself, from accessing messages. It also uses open-source software, meaning its code is publicly accessible.
NSA whistleblower Edward Snowden, who has been in exile in Russia since 2013, after leaking major surveillance programs in the US, is a user and vehement supporter of the app.
Use Signal
— Elon Musk (@elonmusk) January 7, 2021
In early 2021, Tesla and SpaceX CEO Elon Musk also openly promoted Signal in a tweet, receiving a retweet from Twitter’s then-CEO Jack Dorsey.
