In the summer of 2022, Twilio, the company that provides Signal with phone number verification services, suffered a phishing attack. Here's what our users need to know:
- All users can rest assured that their message history, contact lists, profile information, whom they'd blocked, and other personal data remain private and secure and were not affected.
- For about 1,900 users, an attacker could have attempted to re-register their number to another device or learned that their number was registered to Signal. This attack has since been shut down by Twilio. 1,900 users is a very small percentage of Signal’s total users, meaning that most were not affected.
We notified these 1,900 users directly, and prompted them to re-register Signal on their devices. If you received an SMS message from Signal with a link to this support article, please follow these steps:
- Open Signal on your phone and register your Signal account again if the app prompts you to do so.
- To best protect your account, we strongly recommend that you enable registration lock in the app’s Settings. We created this feature to protect users against threats like the Twilio attack.
What happened exactly?
Twilio, the company that provides Signal with phone number verification services, notified us that they had suffered a phishing attack. We conducted an investigation into the incident and determined the following.
- An attacker gained access to Twilio’s customer support console via phishing. For approximately 1,900 users, either 1) their phone numbers were potentially revealed as being registered to a Signal account, or 2) the SMS verification code used to register with Signal was revealed.
- During the window when an attacker had access to Twilio’s customer support systems it was possible for them to attempt to register the phone numbers they accessed to another device using the SMS verification code. The attacker no longer has this access, and the attack has been shut down by Twilio.
- Among the 1,900 phone numbers, the attacker explicitly searched for three numbers, and we’ve received a report from one of those three users that their account was re-registered.
Importantly, this did not give the attacker access to any message history, profile information, or contact lists. Message history is stored only on your device and Signal does not keep a copy of it. Your contact lists, profile information, whom you’ve blocked, and more can only be recovered with your Signal PIN which was not (and could not be) accessed as part of this incident. However in the case that an attacker was able to re-register an account, they could send and receive Signal messages from that phone number.
We took these steps to protect affected users:
- For all 1,900 of the users potentially affected, we unregistered Signal on all devices that the user was currently using (or, that an attacker registered them to) and required them to re-register Signal with their phone number on their preferred device.
- We notified all 1,900 potentially affected users directly via SMS.
As of August 15th, we were already notifying users and requiring them to re-register Signal with their phone number. We completed this by August 16th.
The kind of telecom attack suffered by Twilio is a vulnerability that Signal developed features like registration lock and Signal PINs to protect against. We strongly encourage users to enable registration lock. While we don’t have the ability to directly fix the issues affecting the telecom ecosystem, we will be working with Twilio and potentially other providers to tighten up their security where it matters for our users.
Did this affect me?
- Based on the information we received from Twilio, 1,900 users could potentially have been affected. We are notifying these users via SMS. We started notifying users on August 15th and completed notifying users by August 16th. The SMS message we were sending these users read: “This is from Signal Messenger. We’re reaching out so you can protect your Signal account. Open Signal and register again. More info: https://signal.org/smshelp"
- If you saw a banner when you opened Signal saying your device is no longer registered, you may have been impacted, but there are other reasons why you may no longer be registered such as a long period of inactivity.
Was my personal data accessed or hacked?
No. Signal is designed to keep your data in your hands rather than ours. Signal does not have access to your message history, contact list, profile information, whom you’ve blocked, and other personal data. And this information certainly is not available to Twilio, or via the access temporarily gained by Twilio’s attackers. However, in the case that an attacker was able to re-register an account during the time that the Twilio attack was active, they could send and receive messages from that phone number on Signal.
Was someone I chat with affected?
Given the small number of people affected, it is very unlikely. However, if you’re curious if a contact was affected, you can reach out to them and ask if they received an SMS notice from Signal asking them to re-register their account and pointing them to more information on the incident.
What should I do?
We encourage users to enable registration lock for their Signal account. Using an optional registration lock with your Signal PIN adds an additional verification layer to the registration process. Go to Signal Settings (profile) > Account > Registration Lock to do this.
What is Signal doing to prevent this from happening again?
We are in contact with Twilio, and are actively working with them and other providers to improve their security practices. On the user side, we encourage users to enable registration lock.