Phone Numbers, SMS Codes of 1,900 Signal App Users Potentially Leaked

pcmag.com:

Encrypted chat service Signal is reporting that 1,900 users may have had their phone numbers leaked due to hackers breaching Twilio, a service provider for the messaging app. 

In addition, the same users may have had the SMS codes needed to register the Signal app to a smartphone leaked to the hackers. In the wrong hands, the exposed information paves the way for an attacker “to register a Signal user’s phone number on a new device if that user had not enabled registration lock,” or what amounts to a hijacking risk, the messaging app says. 

"Among the 1,900 phone numbers, the attacker explicitly searched for three numbers, and we’ve received a report from one of those three users that their account was re-registered," Signal says(Opens in a new window). "In the case that an attacker was able to re-register an account, they could send and receive Signal messages from that phone number."

As a result, Signal is contacting the 1,900 affected users about the potential data exposure via an SMS message. Vulnerable users will also be required to re-register the Signal app on their smartphones. 

The potential breach is unsettling since many Signal users expect the encrypted chat app to protect their privacy. The app is best known for offering end-to-end encryption, meaning Signal itself can’t even read your messages. But the app has long required consumers to use a real phone number on sign up, which has been a point of criticism. 

Signal uses Twilio's SMS messaging to verify phone numbers for new sign-ups on the app. Twilio says hackers infiltrated(Opens in a new window) the company's IT systems earlier this month by successfully phishing some company employees. The resulting breach resulted in the hackers temporarily accessing