Signal confirms 1,900 of its users were hit by Twilio breach
Last week's phishing attack on Twilio has exposed phone numbers exposed and compromised user accounts
Encrypted messaging platform Signal has confirmed that a number of its customers have been affected by the phishing attack on Twilio last week.
The company believes around 1,900 of its users are potentially affected by the breach of the communication API firm, with phone numbers and SMS verification codes potentially exposed to the hackers.
Signal said Twilio informed it of the breach at the time, and a subsequent investigation revealed the hackers gained access to Twilio’s customer support console.
“During the window when an attacker had access to Twilio’s customer support systems it was possible for them to attempt to register the phone numbers they accessed to another device using the SMS verification code,” said Signal in a public disclosure. “The attacker no longer has this access, and the attack has been shut down by Twilio.”
It added that the attackers specifically searched for three phone numbers out of the total 1,900 exposed, and the owner of one of these numbers has confirmed to Signal that their account was re-registered.
Re-registering a user’s account does not give the attacker access to any messages, profile information, or contact lists, Signal said, since this data is stored on a user’s device only.
“Your contact lists, profile information, whom you’ve blocked, and more can only be recovered with your Signal PIN which was not (and could not be) accessed as part of this incident,” it told customers.
By re-registering a user’s account, an attacker would be able to send and receive Signal messages from that phone number, however.
Signal is currently in the process of notifying all affected users by SMS and is de-registering Signal on all affected users’ devices. The 1,900 users will be required to re-register their accounts with their phone numbers on all devices they use.
This process began on Monday and Signal expects to complete it by the end of the day.
Since the action taken by Signal following Twilio’s breach, some users will have seen a banner in the app saying their account has been de-registered.
This may mean they were affected by the incident, it said, or it could indicate their account had been inactive for a long period.
Signal had previously prepared for this type of attack and is the reason it developed functionalities like Signal PINs and registration lock – a feature that prevents anyone else from registering an account with a user’s phone number.
This feature is not enabled by default, and Signal has recommended all users to enable it in the app’s settings menu, using a Signal PIN.
What happened in the Twilio breach?
Last week, several Twilio employees were targeted by socially engineered phishing attacks which resulted in some staff handing over passwords to the attackers.
SMS messages were sent with password reset links which directed targets to fake Twilio pages where attackers harvested the login credentials of some staff members.
RELATED RESOURCE
An EDR buyer's guide
How to pick the best endpoint detection and response solution for your business
Targets were addressed by their name, in some cases, and texts appeared to be sent from Twilio’s IT department, the company said.
It’s unclear who was behind the attack but it was thought the attackers were well-equipped given the thorough understanding of the company, able to link current and former employees with phone numbers and real names.
Twilio said it was aware that other companies were also targeted at the same time, one of which was revealed as Cloudflare.
The DDoS mitigation company confirmed it was also targeted by a phishing attack at around the same time as Twilio, but was not breached as a result due to the company-wide use of hardware-based, FIDO2-compliant multi-factor authentication (MFA) keys.
-
Why patching velocity matters as Claude Mythos supercharges vulnerability discoveryFrontier AI models such as Claude Mythos and GPT-5.5 make patching more urgent than ever. How can firms increase the velocity at which they apply fixes and mitigations?
-
The UK is running on fumes as data center build-outs can’t keep pace with demandNews The country's vacancy rate has dropped sharply, with much of the pipeline early-stage and uncertain
-
Two US nationals sentenced for role in prolific fake worker laptop farmsNews The Americans were raising money for the North Korean regime by allowing fake IT workers to appear as legitimate US-based employees
-
Beware of emails threatening a code of conduct reviewNews A widespread phishing campaign has targeted tens of thousands of employees
-
Microsoft and NCSC issue alerts over hacker campaigns targeting WhatsApp, Signal messaging appsNews Microsoft warns about a sophisticated attack that starts with WhatsApp messages, while the NCSC says such incidents are on the rise
-
Is your new hire an AI clone? Microsoft says North Korean hackers are using AI to impersonate job seekers and steal company secretsNews The groups are increasingly using face-changing or voice-changing software to make their fake identities more plausible
-
Google issues warning over ShinyHunters-branded vishing campaignsNews Related groups are stealing data through voice phishing and fake credential harvesting websites
-
Thousands of Microsoft Teams users are being targeted in a new phishing campaignNews Microsoft Teams users should be on the alert, according to researchers at Check Point
-
Microsoft warns of rising AitM phishing attacks on energy sectorNews The campaign abused SharePoint file sharing services to deliver phishing payloads and altered inbox rules to maintain persistence
-
Warning issued as surge in OAuth device code phishing leads to M365 account takeoversNews Successful attacks enable full M365 account access, opening the door to data theft, lateral movement, and persistent compromise
