Updated The security breach at Twilio earlier this month affected at least one high-value customer, Signal, and led to the exposure of the phone number and SMS registration codes for 1,900 users of the encrypted messaging service, it confirmed.
However, Signal – considered one of the better secured of all the encrypted messaging apps – claims the attacker would not have been able to access the message history, contact lists, profile information, or other personal data associated with these user accounts. The non-profit organization said in a security note on its site that it has identified and is notifying the 1,900 users directly, and prompting them to re-register Signal on their devices.
The company had already come under fire for its practice of SMS verification in the past, something which has rebounded in the wake of the disclosure.
According to Signal, Twilio provides SMS verification services for its platform. Twilio provides messaging, call center and two-factor authentication services, among others, to about 256,000 customers altogether – although it said in an earlier incident report about the breach that only 125 of its customers had data “accessed by malicious actors for a limited period of time.”
The news that Signal was one of the 125 has raised questions about the identity of other Twilio customers, especially as the encrypted comms platform is known for its transparency. Others may be less forthcoming.
According to Signal’s security note, when Twilio was hit by a phishing attack earlier this month, this may potentially have led to the phone numbers of 1,900 Signal users being revealed as registered to a Signal account. The encryption app platform added that the users’ SMS verification codes were also exposed.
It appears that during the window of time that the attacker had access to Twilio’s customer support systems, it would have been possible for them to attempt to re-register the phone numbers they had accessed, transferring the Signal account to another device under their own control, using the SMS verification code. It also stresses that the attacker no longer has this access, and that the attack had been shut down by Twilio.
Intriguingly, Signal states that the attacker explicitly searched for three phone numbers among the 1,900 accessed, and the organization has since received a report from one of those three users that their account was indeed re-registered and hijacked.
In this case, where an attacker was able to re-register an account, they would then be able to send and receive Signal messages from that phone number, Signal confirmed.
We asked Signal if there was any explanation as to why the attacker should target these three specific users, and we will update the story if we get a response.
Signal was at pains to point out that message history is stored only on the user’s device so Signal does not have copies of these that could be accessed. Contact lists, profile information and other private data can only be recovered with the user’s Signal PIN, which the organization could not access.
Furthermore, Signal said that its vulnerability to the Twilio attackers was one it has already sought to address through features such as registration lock and the Signal PIN.
Registration lock prevents anyone from registering a user’s phone number onto a new phone unless they have the PIN associated with that account. This feature must be activated by the user, and Signal is now strongly encouraging users to enable it.
Signal states that if users see a banner saying their device is no longer registered when opening Signal, it may indicate their account has been re-registered, but it cautions that users may no longer be registered for other reasons, such as if they have not been active on the service for a long period of time.
The Twilio breach earlier this month was a sophisticated phishing attack, whereby employees received text messages claiming to be from Twilio’s IT department asking them to login and change their password, linking to a phony web page designed to look like Twilio’s real sign-in page. If anyone fell for the ruse, the attacker used their credentials to access Twilio’s internal systems.
Last week, content delivery network Cloudflare revealed that it had been the target of a very similar breach attempt, but that attack failed because employees are required to use hardware security keys as part of their login process. ®
Updated to add
When The Reg asked if Signal could disclose, without giving up their identity, whether the people who were targeted were people of note, or whether they held a specific position that would mean an attacker would want to compromise their communications, Signal responded: “To respect the privacy of those specific people, we are not sharing any details about them.”
Vice journalist Lorenzo Franceschi-Bicchierai says he was one of the three.