A recent breach of Twilio, a third party phone number verification service used by hundreds of companies, appears to have negatively impacted the privacy messaging app Signal. The Twilio hack appears to have provided the attackers with access to a customer service portal that allowed them to plug in phone numbers to see if they were connected to a Signal account, and in at least one case swap a Signal account’s registration to a different device.
Signal suffers “minor breach” from Twilio hack
The damage from the Twilio hack is relatively minimal given that Signal’s privacy messaging app end-to-end encrypts all messages, and stores messages only on user devices. The hackers never had access to much in the way of private communications, but may have potentially exposed anonymous Signal users and attempted to take control of the account of at least one.
That one attempt may not have put the targeted Signal user in serious jeopardy either, at least if their PIN for the privacy messaging app had been set to cover attempts to register it to a new device (and the attackers did not know it). The worst the attackers might have done without the PIN is gain access to the account to send and receive messages, but they would not be able to access stored messages. The PIN is also needed to access profile information and contact lists.
There is some danger that the attackers plugged in a phone number known to belong to someone being targeted for surveillance, such as an activist or political dissident. This could, at minimum, expose the fact that they have a Signal account. Signal has responded to the Twilio hack by indicating it has plans to onboard enhanced security features currently available in certain other privacy messaging apps, such as having users register with a username rather than a phone number. They may also require users to have the PIN enabled for new device registrations.
Privacy messaging apps learning, adding features as they go
The Twilio hack appears to have been caused by phishing of customer service employees at that company, by way of fraudulent SMS messages pretending to be from the company’s IT department asking employees to verify their login credentials. Twilio indicated that several employees with access to the company’s customer service portal may have been compromised in the attack, and that the hackers accessed data from 125 of its clients (including Signal). Twilio did not disclose much information on other impacted clients but the company provides verification services to a number of Fortune 500 companies.
Signal’s follow-up research after the attack indicates that the Twilio hackers only checked on three phone numbers using the customer service portal, and only attempted to re-register one of them to a different device. Both companies indicate that no sensitive personal information, login or authorization credentials were exposed during the breach. Customers of Signal that were impacted are being contacted by the company and asked to re-register their device to secure their accounts.