Online communication app Signal supports end-to-end encryption and does not keep logs of your calls. This makes it one of the safest and most privacy-focused messaging apps. However, a recent phishing attack on its verification service provider, Twilio, has somewhat dented its credibility.
The news broke out when Twilio notified Signal that it had suffered a phishing attack. It revealed the attacker managed to get access to Twilio’s customer support console via phishing. The phone numbers of approximately 1,900 users registered to a Signal account were reported to be exposed in this incident.
The findings during the investigation revealed that among the 1,900 phone numbers, the attacker explicitly searched for three numbers, and one of those three users whose account was re-registered had already reported the incident to Signal.
Importantly, the attacker did not have access to any message history, profile information, or contact lists of the users since Signal does not keep a copy of it. All of it is stored on the user’s device itself.
The attack has been shut down by Twilio. It is working with Signal to help its investigation. Furthermore, Signal has reported that it will un-register Signal on all devices for all 1,900 of the users potentially affected and require them to re-register Signal with their phone number on their preferred device.
The company has already started the process of notifying all 1,900 potentially affected users directly via SMS.
Source and image: Signal