Signal: Vulnerability reveals phone numbers of 1900 users

Phone numbers and SMS codes of 1900 Signal users in the wild, this is due to a lack in its partner Twilio. A reminder that no system, even one as secure as Signal, is tamper-proof.

Signal is arguably the most secure instant messaging service. However, this does not make it immune to hacking. The company confirmed that the phone numbers and SMS codes of about 1,900 users were exposed due to a breach in the security of its verification partner Twilio. As TechCrunch noted, the attacker could use this information to authenticate on behalf of these users or to store their numbers on other devices.

Phone numbers and SMS codes of 1900 Signal users in the wild

The data has already been misused. Thus, the authors of this attack requested three phone numbers and re-registered a specific user’s account. Signal does not store chat history or online contacts, so this security breach should not have exposed any other sensitive data.

In any case, Signal has taken steps to limit any losses. Thus, the platform removed the app from all associated devices of the affected accounts, forcing users to re-register. The team also recommends activating the registration lock, which prevents you from re-registering on another device without providing a PIN.

This is due to the lack of his partner Twilio.

Twilio identified the flaw on August 8th. Criminals, whose identity has not yet been identified, used phishing to obtain registration information and access to the accounts of 125 customers. While it is not yet clear what other customers may have been affected, Twilio offers its services to a number of large companies and organizations.

A reminder that no system, even one as secure as Signal, is tamper-proof.

The attack puts pressure on Signal anyway. This could be a trigger for the platform, as others have already done, to get rid of a phone number that could be vulnerable to SIM spoofing and other attacks. It is also a reminder that systems, even very secure ones, have their potential partners as a weak link. A mistake in a third party is sometimes more dangerous than a direct attack.

CDN CTB