Some Signal users’ phone numbers exposed in Twilio breach
You are (probably) not affected by this signal violation
Signal is, most often, synonymous with privacy and security. After all, its encryption protocol not only protects its own chats with end-to-end encryption, but it’s also featured on messaging apps like WhatsApp, which are used by billions of people around the world. Although its chat app is built with a focus on security from the ground up, it’s all about the internet, which means nothing is truly foolproof. For example, a breach that allowed attackers to access Twilio’s customer support console via phishing affected some Signal users, exposing their phone numbers.
In a report, Signal confirmed that the Twilio breach affected a small number of users. Twilio provides phone number verification services to Signal, sending users OTP codes when they register the app. Fortunately, this small number is really tiny, affecting only 1,900 unlucky individuals. That’s a fraction of Signal’s 40 million daily active users.
Message history, contact information, contact lists, and other personal data were not affected, as most (or all) of this information is stored on your device rather than on the server. Signal (depending on your configuration). But the fact that phone numbers were exposed means a potential attacker could learn that a phone number used Signal, or re-register the phone number on another phone. In fact, of those 1,900 exposed users, Signal says the attackers searched for three specific phone numbers, and one of them was re-registered on another device. Fortunately, everything is fine now at Twilio, so other Signal accounts are no longer in danger.
If you were one of the 1,900 affected users, Signal should have already contacted you by text (or should be about to do so). If the app prompts you to re-register your Signal account, you’ll need to do so, as potentially affected accounts have been de-registered as a security measure. Also, while you’re at it, you should also enable record lock. This way, if more such breaches occur in the future, you should be safe from potential attackers.