About 1,900 users of Signal, the messaging app often considered the gold standard for privacy, may have had hackers gain access to their phone numbers or text verification codes. The hack was part of a phishing attack on the carrier Twilio, which provides SMS verification service from Signal.
An attacker gained access to Twilio's customer support console via phishing. For nearly 1,900 users, their phone numbers were revealed as registered to a Signal account, or the SMS verification code used to sign up for Signal was revealed.
During the window in which the attacker gained access to Twilio's customer support systems, it was possible for them to attempt to log the phone numbers they had access to on another device using an SMS verification code. The attacker no longer has this access, and the attack was stopped by Twilio.
Fortunately, the extent of the breach was relatively small given that Signal has around 40 million monthly active users, and it appears that many of the existing privacy measures that Signal uses have done their job of protecting user information. The company confirmed that the user's message history, message content, contacts, profile information and other personal data were not affected. Instead, the hack allowed attackers to gain access to and possibly register new devices at a small subset of Signal users' phone numbers.
According to Twilio, the phishing attack appears to be coordinated and ongoing. Communication giant Signal wrote that other companies have also been hit by similar hack attempts, and that phishing attempts and scams keep popping up.