New findings following the Twilio phishing attack revealed that Signal, one of its high-value clients and a popular encrypted messaging platform, was particularly affected. 1,900 of its users had their phone numbers and SMS registration codes exposed. However, Signal reassured users that the attacker could not gain access to "message history, contact lists, profile information, whom they'd blocked, and other personal data" associated with the account.
Signal also claims that 1,900 comprises a small percentage of their user base, so a majority of their users were not affected. Nevertheless, they notified affected users this week via SMS and prompted them to re-register Signal on their devices.
The company revealed in a security notice that the attacker explicitly searched for three numbers among the 1,900 users affected. One user of the three numbers already reported that their account was re-registered. This means the attacker can now send and receive messages from that phone number.
When The Register asked Signal why an attacker would specifically target these three numbers, suggesting maybe they are people of note, the company responded: "To respect the privacy of those specific people, we are not sharing any details about them."
Signal highlights the importance of enabling its app's security features to fend off after-effects of attacks that may befall third-party providers it uses. Because of what happened to Twilio, the company is pushing more of its users to take advantage of registration lock and Signal PINs, which can only be activated manually.
Registration Lock prevents someone from registering a Signal user's phone number to another device unless they know the PIN associated with the account. To enable Registration Lock, Signal users should go to Signal Settings (profile) > Account > Registration Lock.
"While we don’t have the ability to directly fix the issues affecting the telecom ecosystem, we will be working with Twilio and potentially other providers to tighten up their security where it matters for our users," Signal said.
Last week, Cloudflare revealed a similar phishing tactic that got Twilio breached also targeted their employees last month. The campaign didn't work because Cloudflare employees were required to use physical security keys to access all applications they use in-house.