The attacker behind the recent Twilio data breach may have accessed phone numbers and SMS registration codes for 1,900 users of the popular secure messaging app Signal.
“Among the 1,900 phone numbers, the attacker explicitly searched for three numbers, and we’ve received a report from one of those three users that their account was re-registered,” the Signal team shared on Monday.
Twilio provides phone number verification services services (via SMS) for Signal.
Earlier this month, some Twilio employees fell for SMS phishing made to look like a legitimate message from the company’s IT department. The attacker managed to access information related to 125 Twilio customer accounts and, apprently, Signal’s was one of these.
This allowed the attacker to gather either the phone numbers of 1,900 registered Signal users or the SMS verification code they used to register with Signal.
“During the window when an attacker had access to Twilio’s customer support systems it was possible for them to attempt to register the phone numbers they accessed to another device using the SMS verification code,” the Signal team explained.
As noted above, the attacker managed to re-register at least one of the three numbers they explicitly searched for.
“All users can rest assured that their message history, contact lists, profile information, whom they’d blocked, and other personal data remain private and secure and were not affected,” the team noted. That’s because that data is stored on the users’ device and Signal has no access to or copy of it. “And this information certainly is not available to Twilio, or via the access temporarily gained by Twilio’s attackers,” they team added.
Unfortunately, in those cases where the attacker was able to re-register an account, they could impersonate the user by sending and receiving Signal messages from that phone number.
Signal is notifying potentially affected users of this breach directly via SMS. The company has unregistered Signal on all devices that these 1,900 users are currently using (or, that an attacker registered them to) and is asking them re-register Signal with their phone number on their preferred device.
In addition to that, they are urging them to enable registration lock (Signal Settings (profile) > Account > Registration Lock) for their account, which is a feature that helps prevent this type of account takeover.
The ramifications of the Twilio breach
“The kind of telecom attack suffered by Twilio is a vulnerability that Signal developed features like registration lock and Signal PINs to protect against. We strongly encourage users to enable registration lock. While we don’t have the ability to directly fix the issues affecting the telecom ecosystem, we will be working with Twilio and potentially other providers to tighten up their security where it matters for our users,” the team concluded.
After the Twilio breach, the company said that other companies were similarly targeted.
Cloudflare confirmed they were among them but, luckily for them, the attacker was stymied by Cloudflare’s use of physical security keys.
It seems likely that we’ll be hearing about the ramification of the Twilio breach for some time to come.
5/ Lesson 2: Companies like @twilio are lowkey critical internet infrastructure.
The registration & authentication SMSes they process make them a high-value target.$TWLO et. al. must secure themselves accordingly.
— John Scott-Railton (@jsrailton) August 15, 2022
UPDATE (August 18, 2022, 03:55 a.m. ET):
Lorenzo Franceschi-Bicchierai, a senior staff writer at VICE Motherboard, confirmed that his was one of the three targeted Signal accounts.