Close up of hand using smart phone at night showing Twilio hack exposed phone numbers of privacy messaging app Signal

Twilio Hack Confirmed To Have Exposed 1,900 Phone Numbers From Privacy Messaging App Signal

A breach involving a partner of privacy messaging app Signal has exposed about 1,900 phone numbers used to create an account with the app. Signal says that only a very small percentage of its user base was impacted and that no information beyond phone numbers was exposed, but the Twilio hack raises questions about how much access Signal partners and contractors have to the security-focused service.

Leading privacy messaging app exposes “small amount” of phone numbers via hack of partner’s customer service portal

Twilio is the third-party service that the Signal privacy messaging app uses to verify phone numbers when users create new accounts. An incident report indicates that the Twilio hack was caused by “sophisticated” phishing of some number of employees that had access to the company’s customer service portal. The attacker apparently sent spoofed SMS messages that appeared to be from the IT department to a number of Twilio employees indicating that their company login credentials had expired or that their work schedule had changed, prompting them to visit a fake login site. Though the company did not provide a specific number, the Twilio hack report indicates that multiple employees were taken in by this attack.

A status update from Twilio indicated that the data of 125 customers was accessed by the threat actors for some amount of time, and that each of these impacted parties has been contacted. Signal has indicated that the attackers had some level of access to about 1,900 registered phone numbers that it has custody of during the Twilio hack. For these customers, the attackers were able to either view the SMS verification code they used to register with the privacy messaging app, or to input a phone number and have the system tell them if it was registered to a Signal account. However, Signal says that during the Twilio hack window that the attackers only searched for three specific numbers, and only one of these was re-registered to another device.

The Twilio hack did not leak any passwords, authentication tokens, or API keys, according to the company. Signal added that the attackers did not have access to message history, profile information, or contact lists. The privacy messaging app does not store message history on a server, and customers must use a personal Signal PIN to access other aspects of the account. The company said that impacted customers were being contacted as of August 15 and are being asked to re-register.

Twilio hack raises questions of who has access to Signal

With guaranteed end-to-end encryption on by default, Signal’s privacy messaging app should have secure messaging no matter what sort of hacks or breaches might happen. If the company can’t access the messages, neither can attackers.

However, the Twilio hack does raise questions about what ancillary information could be obtained by attackers, particularly by way of third parties that Signal works with. Though this attack did give hackers the potential to re-register a Signal account to a new device, prior messages are stored on the original device only and the attackers would need the victim’s Signal PIN to access their online aspects such as contacts and account information. But simply verifying that a known phone number is tied to a Signal account could expose activists, journalists and others protecting themselves from surveillance and harassment.

Signal has indicated that it may improve this aspect of its privacy messaging app by having users simply register with usernames instead of phone numbers, but there are not any specifics or a timetable for this change as of yet. This feature is available in several other privacy messaging apps on the market, such as Wire. In the meantime, though there was only one instance of a device being re-registered to an attacker, Signal’s mandatory re-registration of the 1,900 impacted devices will preclude the possibility of them being hijacked by the Twilio hackers. Signal currently offers an optional “registration lock” feature that extends the user PIN protection to any attempt to re-register on another device.

The Signal terms of service and privacy policy page specifies that the app works with third party service providers, but does not go into detail about who they are, how many or what they have access to. In early 2022 the app added a crypto wallet feature in partnership with MobileCoin, which Signal founder Moxie Marlinspike was also a co-founder of. The privacy messaging app’s partnerships are likely very limited due to its status as a non-profit company and its reliance on donations to function, but the profile of potential third party exposure is not entirely apparent to the average end user.

Erich Kron, security awareness advocate at KnowBe4, notes that an app that handles communications that are as sensitive as this (and that advertises itself as one of the most privacy-focused pieces of software available) is even more reliant on user trust than most organizations and that perception must be nurtured and carefully addressed: “While not a lot of sensitive information was leaked, with applications such as Signal which are privacy focused, the erosion of trust can be a significant issue itself. Just the knowledge that a phone number is registered with Signal, can be used by potential attackers to craft very specific phishing text messages that could lead to further compromise. This is also a lesson in the impact that trusted vendors, in this case Twilio, can have on your own organization … Phishing remains a potent weapon for cybercriminals, so organizations should ensure employees are trained in spotting and reporting any phishing attempts by bad actors. Organizations would be wise to ensure that partner organizations are also taking the threat of social engineering seriously and are addressing it in their own security as well.”