Signal has a reputation for being one of the most secure and private messaging platforms. However, this does not prevent hackers from trying to find a way into their systems and causing havoc, which they did on the 8th of August, although not directly.
The hackers got through to Signal through a breach at Twilio, which is a company that provides phone number verification services to Signal. As a result, the attackers got access to phone numbers and SMS verification codes for almost 2,000 users.
The affected 2,000 users are part of 125 Signal customers who are believed to be large worldwide organizations. Even Signal themselves were part of the victims. The hackers reportedly got through after successfully phishing multiple employees at Twilio.
In a blog which they posted on 15th August, Signal charts the way forward, saying they would notify the 1,900 users whose phone numbers or SMS verification codes were stolen when attackers gained access to Twilio’s customer support console.
“For about 1,900 users, an attacker could have attempted to re-register their number to another device or learned that their number was registered to Signal… Among the 1,900 phone numbers, the attacker explicitly searched for three numbers, and we’ve received a report from one of those three users that their account was re-registered.” Signal explains on their blog.
Now, since Signal does not store a user’s message history, contacts list or profile information, the hackers would come out with nothing here. However, if the attackers were able to re-register an account, they would then be able to send and receive messages masquerading as the victims.
For the affected users, Signal has already unregistered the application on all devices that the user was already using. Furthermore, Signal will require them to sign up again with the app with their phone number on their device of choice.
For enhanced security, Signal users are advised to switch on the registration block, which is a feature that prevents an account from being re-registered on another device without the user’s security PIN.
A breach of 2,000 users represents a tiny fraction of Signal’s 40 million plus users. However, it still presents a loophole where one of the most secure messaging platforms still requires users to have a phone number in order to create an account.
Other alternative messaging platforms that tout security and privacy as their most important aspects, only require users to create a username rather than having their phone numbers tied to their accounts.