Messaging app Signal states that roughly 1,900
phone numbers may have been compromised in a recent hack of Twilio.
Signal warns that “an attacker could have attempted to re-register their number to another device or learned
that their number was registered to Signal."
However, it states that users' "message history, contact lists, profile information, whom they’d blocked, and other personal data
remain private and secure and were not affected."
Twilio, which provides SMS verification services for Signal, reported the attack earlier this month.
The firm
became aware of unauthorized access to information on a “limited number” of customer accounts last Thursday, August 4, Twilio says in a blog post.
Current and former employees
received text messages purporting to be from Twilio’s IT department.
“Typical text bodies suggested that the employee's passwords had expired, or that their schedule had
changed, and that they needed to log in to a URL the attacker controls,” the company states.
Twilio worked with U.S. carrier networks and hosting providers to
shut down these actors.
Signal adds that it is notifying the 1,900 users directly, and prompting them to re-register Signal on their devices.
“This
attack has since been shut down by Twilio,” it says. “1900 users is a small percentage of Signal’s total users, meaning that most were not affected.”