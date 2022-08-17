Signal, a favorite app for privacy buffs, says a phishing attack compromised 1,900 users
- The encrypted messaging app said an attacker had accessed either users’ phone numbers or registration codes through verification service Twilio
Signal, which is widely seen as one of the most secure messaging services, said Monday that a phishing attack compromised 1,900 users and potentially revealed their phone numbers.
The encrypted messaging app said on its website that an attacker had accessed the information through Twilio Inc., a company that provides Signal with phone number verification services.
Signal said the attacker, whom it didn’t identify, didn’t access its users’ messages, contact lists or profile information. Still, the attacker saw either the users’ phone numbers or the registration codes that some users received over text when they first signed up for Signal.
While the attacker no longer has access to that information, Signal said, they had already searched for three phone numbers connected to the attack and had re-registered at least one account.
A Signal spokesman said Tuesday the company didn’t know who was behind the attack or what their motives were. He added that Twilio may provide more information about the attacker later.
The Signal spokesman said that by Tuesday the app had texted all 1,900 compromised users about registering their accounts again.
The Signal spokesman didn’t immediately respond to a question Tuesday about when the hack occurred. A spokesman for Twilio, a San Francisco-based company, declined to comment, citing the company’s ongoing investigation.
Twilio said on its website last week that it had learned earlier this month that attackers had texted some of its employees a link that tricked them into providing their credentials. The company, which builds communication software, said it hadn’t identified the attackers but that it was working with a forensics firm to investigate what had happened.
The Signal spokesman said this attack was the same one that compromised some Signal users’ data.
Signal has been a go-to messaging app for users concerned about surveillance since the company Open Whisper Systems launched the app in 2014. Messages and calls are encrypted on both ends so that not even the company can access them, according to Signal’s website. The app was downloaded nearly 140 million times around the world as of this month, according to data analytics firm Sensor Tower.
The service is popular with privacy buffs who can set their messages to automatically disappear or who hope to keep their communication hidden from potential hackers. The Signal app can be downloaded on smartphones and desktop computers.
Signal has said its user data is so encrypted that when federal prosecutors subpoenaed Signal in 2016, it only had two user data points to share: the date a user created an account and the date of last use.
Other messaging services like WhatsApp, which is owned by Meta Platforms Inc., and Apple Inc.’s iMessage also offer end-to-end encryption. But Meta and Apple can still see more of their users’ data than Signal can.
