Messaging app Signal has revealed that the phone numbers of 1,900 users might have been revealed due to a phishing attack Twilio, its verification services provider.
In a tweet, Signal said that the attackers may have accessed the phone numbers and the SMS registration codes of nearly 2,000 users. However, the message history, profile info, contact lists and other data were not and could not be accessed, Signal said.
“The information attackers accessed could allow them to attempt to register a Signal user’s phone number on a new device if that user had not enabled registration lock,” the app said, adding that the developers have identified and are reaching out to the potentially affected users.
Signal said that the users are being prompted to re-register their numbers and are being encouraged to enable registration lock.
“We are also working with Twilio to ensure they upgrade their security practices,” it said.
“Signal’s commitment to your privacy –to building a product that protects your information from third parties including Signal–is what ensured that message history, profile info, contact lists, and other data were not vulnerable in this incident,” Signal said in the tweet.
To enable registration lock, go into settings, select account and tap on the registration lock option.
The Signal app was created by Signal Foundation, set up by former WhatsApp co-founder Brian Acton who left WhatsApp in 2017. It is an end-to-end encrypted messaging platform like WhatsApp.
Signal’s tagline is ‘say hello to privacy’. It is available for iPhone, iPad, Windows, Mac, Android and Linux. It does not allow backup of chats to Google Drive or iCloud. It also does not allow groups to add people automatically unless the users give their nod.