Fallout from the recent phising attack on communications company Twilio has spilt over to encrypted messaging app Signal, with users reporting bogus number re-registration attempts.
Supplied
Twilio provides Signal with phone number verification services, meaning the attacker may have been able to learn that some numbers were associated with Signal users.
Signal said that during the window of time when the unknown attacker had access to Twilio's customer support systems, it was possible to attempt to register phone numbers to another device.
This was done through using a Signal short messaging service text with a verification code.
Attackers who succeed in re-registering an account to a device they control can send and receive messages from that phone number.
Some 1900 Signal users were potentially affected, and the attacker explicitely searched for three phone numbers among them.
One user has reported to Signal their account had been re-registered.
Signal says that as users' message histories are only stored on their devices, there is no way for the phisher to get hold of it.
Other sensitive data such as contact lists, profile information, and blocked users can only be accessed with an account personal identification number (PIN) which Signal says couldn't be accessed in the attack either.
Signal has contacted the 1900 potentially affected users and de-registered their devices.
This will require the at-risk users to re-register Signal with their phone number.
The messaging company also strongly encourages users to enable the registration lock feature which protects against attacks like this.
