Signal Faces a Security Incident Involving Twilio Verification
Recently a security incident affected the messaging app Signal. The breach exposed the personal data of up to 1,900 users. Signal is widely seen as a private and secure alternative to other messaging apps. The disclosure came via a public post on social media on Monday, confirming the incident.
The company works with Twilio, a third party that provides phone number verification services through SMS. In early August, Twilio disclosed a sophisticated cyber attack that allowed unauthorized access to their systems and some customer data. Attackers used a phishing tactic to impersonate Twilio staff and gain access to the verification infrastructure.
Former CIA analyst Edward Snowden urged users to stay vigilant. He noted that the attack affected a small portion of Signal users, with the total user base surpassing 40 million worldwide. Signal stated that message histories, contact lists, profile information, blocked contacts and other personal data for most users remained private and secure, clarifying that the breach did not compromise its core messaging content.
What Should Signal Users Do Now
The breach could allow attackers to determine a user’s phone number on a new device. If a user does not have registry lock enabled, an attacker could impersonate the victim on a different device. However, despite impersonation, the attacker would not be able to read past messages until the app is reinstalled on the targeted device.
To protect accounts, Signal recommends enabling registry lock. This security measure requires a PIN to re-register a phone number. Users can enable this feature by opening the app, navigating to settings, then privacy, and turning on registry lock. Keeping the PIN confidential and changing it if there is any doubt about its security helps mitigate risk when devices are reused or reset.
Signal stresses that user data such as message histories stored on devices, contact lists, and profile details do not become more exposed simply due to the breach. The organization continues to review security measures and urges users to adopt best practices for device security and account protection.