The security breach at Twilio earlier this month affected at least one high-value customer, Signal, and led to the exposure of the phone number and SMS registration codes for 1,900 users of the encrypted messaging service, it confirmed.
However, Signal – considered one of the better secured of all the encrypted messaging apps – claims the attacker would not have been able to access the message history, contact lists, profile information, or other personal data associated with these user accounts. The non-profit organization said in a security note on its site that it has identified and is notifying the 1,900 users directly, and prompting them to re-register Signal on their devices.
The company had already come under fire for its practice of SMS verification in the past, something which has rebounded in the wake of the disclosure.
According to Signal, Twilio provides SMS verification services for its platform. Twilio provides messaging, call center and two-factor authentication services, among others, to about 256,000 customers altogether – although it said in an earlier incident report about the breach that only 125 of its customers had data “accessed by malicious actors for a limited period of time.”
The news that Signal was one of the 125 has raised questions about the identity of other Twilio customers, especially as the encrypted comms platform is known for its transparency. Others may be less forthcoming.
According to Signal’s security note, when Twilio was hit by a phishing attack earlier this month, this may potentially have led to the phone numbers of 1,900 Signal users being revealed as registered to a Signal account. The encryption app platform added that the users’ SMS verification codes were also exposed.
It appears that during the window of time that the attacker had access to Twilio’s customer support systems, it would have been possible for them to attempt to re-register the phone numbers they had accessed, transferring the Signal account to another device under their own control, using the SMS verification code. It also stresses that the attacker no longer has this access, and that the attack had been shut down by Twilio.
Intriguingly, Signal states that the attacker explicitly searched for three phone numbers among the 1,900 accessed, and the organization has since received a report from one of those three users that their account was indeed re-registered and hijacked.