Twilio breach exposed some Signal users’ numbers
A successful phishing campaign earlier this month targeting Twilio, which allows users to register cheap digital phone numbers, had fallout for Signal users, the encrypted messenger service said Monday. The attack highlights the ripple effect attacks on digital service providers can have on the security of other platforms — including those relied on for that very security.
Around 1,900 Signal users either had their linked phone numbers exposed, or had the text message verification code used to register with Signal revealed, the service wrote in a blog post. The attackers also explicitly queried Twilio’s systems for three of the 1,900 numbers, according to Signal.
While the attack was active, the Twilio infiltrator could attempt to re-register the Signal account to a different device, and in one confirmed instance did so successfully.
Although an attacker re-registering would not gain users’ access to message history or contact lists, “they could send and receive messages from that phone number on Signal.”
“For all 1,900 of the users potentially affected, we will unregister Signal on all devices that the user is currently using (or, that an attacker registered them to) and require them to re-register Signal with their phone number on their preferred device,” the company wrote.
The messenger service said it is directly notifying all affected via text message.
Signal also recommended users set a PIN for their accounts and turn on registration lock, a feature which requires a PIN before a number can be re-registered with the service.
“The kind of telecom attack suffered by Twilio is a vulnerability that Signal developed features like registration lock and Signal PINs to protect against,” the service wrote. “While we don’t have the ability to directly fix the issues affecting the telecom ecosystem, we will be working with Twilio and potentially other providers to tighten up their security where it matters for our users.”
Signal accounts are tied to phone numbers, but using a number from a service like Twilio is one way for users to register and have access to the end-to-end encryption offered by the app without using a personal phone number.
This workaround has sometimes been recommended as an added safety step to at-risk groups, including journalists — who often rely on encrypted communication channels to connect with sensitive sources, but are also frequently the target of sophisticated digital surveillance.
Twilio reported last week that it discovered an attacker used a text-based phishing campaign to gain access to its customer support console. In an update Wednesday, it reported that the company had “identified approximately 125 Twilio customers whose data was accessed by malicious actors for a limited period of time” and had notified them of the breach.
"Twilio generally does not comment on specific customer situations. However, with respect to the matter disclosed by Signal, we are aware of it and take any potential incident involving the protection of our customers’ information seriously,” Twilio Director of Corporate Communications Cris Paden told The Record. “We have been in close contact with Signal and are working together with them to aid their investigation.”
Andrea Peterson (they/them) is a longtime cybersecurity journalist who cut their teeth covering technology policy at ThinkProgress (RIP) and The Washington Post before doing deep-dive public records investigations at the Project on Government Oversight and American Oversight.