The hack of Twilio earlier this month may have potentially compromised the phone numbers of around 1,900 Signal members, according to the encrypted messaging service.
During the smishing attack on Twilio, threat actors allegedly attempted to re-register Signal users’ phone numbers to other devices. The company maintained that this incident didn’t impact personal data, however.
“For about 1,900 users, an attacker could have attempted to re-register their number to another device or learned that their number was registered to Signal,” said the company in its security advisory. “All users can rest assured that their message history, contact lists, profile information, whom they’d blocked, and other personal data remain private and secure and were not affected.”
The attack didn’t compromise the Signal PIN either, which is used in non-phone-number-based operations like recovering profiles, settings, contacts and block lists. This PIN also works as an optional registration lock that prevents threat actors from registering users’ numbers fraudulently.
Additionally, the company has taken steps to protect impacted users by unregistering Signal on all devices with compromised accounts and notifying customers directly through SMS. Signal told users to re-register the service with their phone number if asked to do so and to enable registration lock. This feature is an additional security measure that’s used against fraudulent registration attempts.
Accounts with this security feature require a PIN to re-register the phone number with Signal, however. If you forget your PIN, you could be locked out of your account for seven days (with Signal not being able to reset it for you). Fortunately, Signal also has a built-in reminder that asks you to periodically confirm your PIN in order to help you memorize it.