Signal is not invulnerable to hacking incidents. The company said that a data breach at verification partner Twillio exposed the phone numbers and SMS codes of roughly 1,900 users.
Signal’ End-to-end encryption is a failure
TechCrunch reported, “End-to-end encrypted messaging app Signal says attackers accessed the phone numbers and SMS verification codes for almost 2,000 users as part of the breach at communications giant Twilio last week.
Twilio, which provides phone number verification services to Signal, said on August 8 that malicious actors accessed the data of 125 customers after successfully phishing multiple employees. Twilio did not say who the customers were, but they are likely to include large organizations after Signal on Monday confirmed that it was one of those victims.
Signal said in a blog post Monday that it would notify about 1,900 users whose phone numbers or SMS verification codes were stolen when attackers gained access to Twilio’s customer support console.”
The data hacked has already been misused and it’s a big trouble for the users
Signal’s Steps
According to Engadget, “Signal is taking steps to limit the damage. It will unregister the app on all devices linked to affected accounts, forcing users to re-register. The team also recommended enabling a registration lock that bars anyone from re-registering on other devices without providing a PIN code.
Twilio revealed the breach on August 8th. The currently unidentified perpetrators used phishing scams to obtain login details and access the accounts of 125 customers. Although it’s not clear which other customers were affected, Twilio typically serves large companies and organizations.
The attack increases pressure on Signal to join other encrypted messaging providers in moving away from phone numbers, which can be vulnerable to SIM swaps and other digit-based schemes. This is also a reminder that systems are only as secure as their technology partners — a slip at a third-party is sometimes as dangerous as a direct assault.”
