“For approximately 1,900 users, the attacker may have attempted to re-register their number to another device or know that their number is already registered with Signal,” the company said. “All users can rest assured that their message history, contact list, profile information, people they’ve blocked and other personal data remains private and secure and untouched. “
Signal, which uses Twilio to send SMS verification codes to users who sign up with the app, said it is in the process of directly alerting affected users and prompting them to re-register for the service on their devices. mine.
The development comes less than a week after Twilio revealed that data related to around 125 customer accounts had been accessed by bad actors through a hack. phishing attack to trick company employees into handing over their credentials. The breach happened on August 4.
In the case of Signal, the unknown threat actor allegedly abused access to explicitly search three phone numbers, then re-registered the account with the messaging platform using one of the those numbers, thus allowing the party to send and receive messages from that phone number.
As part of its advice, the company has also encouraged users to enable registration keys, an extra security measure that requires a Signal PIN to register a phone number with the service.
Web infrastructure provider Cloudflare, also unsuccessfully targeted by sophisticated phishing, said the use of physical security keys issued to every employee helped thwart the attack. .
Phishing and other types of human-based social engineering are the weakest link in a breach. But the latest incident also highlights that third-party vendors pose many risks to companies.
This development further underscores the dangers of relying on phone numbers as a unique identifier, which SIM-swapping vulnerable technology allows bad actors to carry out account hijacking and transactional attacks. illegal money transfers.