Online communication app Signal supports end-to-end encryption and keeps no logs of your calls. This makes it one of the safest and most privacy-focused messaging apps. However, a recent phishing attack on verification service provider Twilio has severely compromised Signal’s security.
This came to light when Twilio reported to Signal that it had been attacked by a phishing attack. The attacker had managed to gain access to Twilio’s customer support console via phishing. The phone numbers of approximately 1,900 users registered to a Signal account were also reportedly exposed in this incident.
Findings during the investigation revealed that the attacker had clearly dialed three numbers among 1,900 phone numbers, and one of those three users whose account was re-registered had already reported the incident to Signal.
More importantly, since Signal does not keep a copy, the attacker has access to any message history, profile information, or users’ contact lists. Because all of these are stored on the user’s device.
The attack was soon stopped by Twilio. But this short time was enough for the attacker to get the phone numbers of 1,900 people.
Twilio is working with Signal to help with its research. In addition, Signal reported that for all 1,900 potentially affected users, Signal will unregister from all their devices and ask them to re-register Signal with their phone number on their preferred device.
The company has initiated the process of notifying all 1,900 potentially affected users directly via SMS.
22008
