IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Signal confirms 1,900 of its users were hit by Twilio breach

Last week's phishing attack on Twilio has exposed phone numbers exposed and compromised user accounts

Encrypted messaging platform Signal has confirmed that a number of its customers have been affected by the phishing attack on Twilio last week.

The company believes around 1,900 of its users are potentially affected by the breach of the communication API firm, with phone numbers and SMS verification codes potentially exposed to the hackers.

Signal said Twilio informed it of the breach at the time, and a subsequent investigation revealed the hackers gained access to Twilio’s customer support console.

“During the window when an attacker had access to Twilio’s customer support systems it was possible for them to attempt to register the phone numbers they accessed to another device using the SMS verification code,” said Signal in a public disclosure. “The attacker no longer has this access, and the attack has been shut down by Twilio.”

It added that the attackers specifically searched for three phone numbers out of the total 1,900 exposed, and the owner of one of these numbers has confirmed to Signal that their account was re-registered.

Re-registering a user’s account does not give the attacker access to any messages, profile information, or contact lists, Signal said, since this data is stored on a user’s device only.

“Your contact lists, profile information, whom you’ve blocked, and more can only be recovered with your Signal PIN which was not (and could not be) accessed as part of this incident,” it told customers.

By re-registering a user’s account, an attacker would be able to send and receive Signal messages from that phone number, however.

Signal is currently in the process of notifying all affected users by SMS and is de-registering Signal on all affected users’ devices. The 1,900 users will be required to re-register their accounts with their phone numbers on all devices they use.

This process began on Monday and Signal expects to complete it by the end of the day.

Since the action taken by Signal following Twilio’s breach, some users will have seen a banner in the app saying their account has been de-registered.

This may mean they were affected by the incident, it said, or it could indicate their account had been inactive for a long period.

Signal had previously prepared for this type of attack and is the reason it developed functionalities like Signal PINs and registration lock – a feature that prevents anyone else from registering an account with a user’s phone number.

This feature is not enabled by default, and Signal has recommended all users to enable it in the app’s settings menu, using a Signal PIN.

What happened in the Twilio breach?

Last week, several Twilio employees were targeted by socially engineered phishing attacks which resulted in some staff handing over passwords to the attackers.

SMS messages were sent with password reset links which directed targets to fake Twilio pages where attackers harvested the login credentials of some staff members.

Related Resource

An EDR buyer's guide

How to pick the best endpoint detection and response solution for your business

Whitepaper cover with title and image of grey and green blocks, with the green ones connected to each otherFree Download

Targets were addressed by their name, in some cases, and texts appeared to be sent from Twilio’s IT department, the company said.

It’s unclear who was behind the attack but it was thought the attackers were well-equipped given the thorough understanding of the company, able to link current and former employees with phone numbers and real names.

Twilio said it was aware that other companies were also targeted at the same time, one of which was revealed as Cloudflare.

The DDoS mitigation company confirmed it was also targeted by a phishing attack at around the same time as Twilio, but was not breached as a result due to the company-wide use of hardware-based, FIDO2-compliant multi-factor authentication (MFA) keys.

Featured Resources

Big data for finance

How to leverage big data analytics and AI in the finance sector

Free Download

Ten critical factors for cloud analytics success

Cloud-native, intelligent, and automated data management strategies to accelerate time to value and ROI

Free Download

Remove barriers and reconnect with your customers

The $260 billion dollar friction problem businesses don't know they have

Free Download

The future of work is already here. Now’s the time to secure it.

Robust security to protect and enable your business

Free Download


Education and government most at risk from email threats

Education and government most at risk from email threats

26 Nov 2021
Attackers use CSS to fool anti-phishing systems

Attackers use CSS to fool anti-phishing systems

11 Nov 2021

Most Popular

How to secure your hybrid workforce
Advertisement Feature

How to secure your hybrid workforce

23 Sep 2022
What your hybrid workforce needs from their laptops
Advertisement Feature

What your hybrid workforce needs from their laptops

21 Sep 2022
Why collaboration is key to digital transformation

Why collaboration is key to digital transformation

13 Sep 2022