1,900 phone numbers of Signal users accessed in phishing attack

Messaging platform Signal - known for its end-to-end encryption policy - said phone numbers of 1,900 users might have been revealed in a phishing attack on Twilio Inc, its SMS verification services provider, earlier this month.

“Via Twilio, attackers may have accessed phone numbers & SMS registration codes for 1,900 Signal users,” it said on Twitter.



However, Signal said the messaging history, profile information, contact lists, and other data were not and could not be accessed.

“The information attackers accessed could allow them to attempt to register a Signal user’s phone number on a new device if that user had not enabled registration lock,” it claimed in a series of tweets on Monday.

Phishing - a common type of a cyber attack - involves sending fraudulent communications appearing to come from a reputable source through emails. The goal is to steal sensitive data such as credit card and login information, or to install malware on the victim’s machine.

Twilio, first, disclosed the phishing attack on August 4 through its blog post.

“Twilio became aware of unauthorised access to information of its customer accounts through a sophisticated social engineering attack designed to steal employee credentials. This broad- based attack against our employees succeeded in fooling some employees into providing their credentials,” the SMS verification partner wrote.

Twilio said the attackers used the stolen credentials to gain access to some of its internal systems to access certain customer data. It said it had notified the aggrieved customers and was working with them as part of an ongoing investigation.

Explaining the modus operandi of the threat actors, Twilio said: “Our current and former employees recently reported receiving text messages purporting to be from our IT department.

The text bodies suggested the employee's passwords had expired, or their schedule had changed, and they needed to log into a URL the attacker controls.”

Further, the URLs used words such as "Twilio," "Okta," and "SSO" to trick users into clicking on a link taking them to an impersonated Twilio’s sign-in page.

“We are prompting them [the affected users] to re-register their Signal numbers and encouraging them to enable registration lock. We are also working with Twilio to ensure they upgrade their security practices,” Signal clarified on Twitter.


Twilio further claimed in its blog post that the messages originated from US carrier networks, which were eventually shut down.