As part of the breach at communications giant Twilio, end-to-end encrypted messaging app Signal said that hackers accessed the phone numbers and SMS verification codes of 1,900 users.
The US-based Cloud communications company, which provides Signal with phone number verification services, notified the messaging platform that they had suffered a phishing attack, therefore, it investigated the incident.
“For about 1,900 users, an attacker could have attempted to re-register their number to another device or learned that their number was registered to Signal. This attack has since been shut down by Twilio,” Signal said in a blogpost.
The company said that 1,900 users are a very small percentage of Signal’s total users, meaning that most were unaffected.
“We are notifying these 1,900 users directly and prompting them to re-register Signal on their devices,” the company said.
Among the 1,900 phone numbers, the attacker explicitly searched for three numbers, and Signal received a report from one of those three users that their account was re-registered.
Importantly, this did not give the attacker access to any message history, profile information, or contact lists.
“We are in contact with Twilio, and are actively working with them and other providers to improve their security practices. On the user side, we encourage users to enable registration lock,” the platform said.
Twilio, which owns popular two-factor authentication (2FA) Authy, said over the weekend that on August 4, it became aware of unauthorised access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials.