Signal warns users of phishing attack that may have caused some to lose their accounts
On Monday, online encrypted communications app Signal said on Twitter that Twilio, a phone verification service provider that Signal uses to verify login attempts on its app, suffered a phishing attack. As part of the attack, Signal said that 1,900 users of its service may have been affected — potentially causing them to lose control of their account.
According to Signal, the attack compromised mobile numbers and SMS verification codes of the said 1,900 users, due to which attackers could have potentially taken over control of Signal accounts. However, the service added that users could have only lost control of their accounts if they did not have PIN-based registration locks enabled.
A statement on the matter by Signal added that the breach “did not give the attacker access to any message history, profile information, or contact lists.”
Signal shot to popularity early last year, when a contentious privacy policy enforced by WhatsApp, Meta’s popular messaging service, raised questions regarding the latter’s data collection and privacy concerns.
However, while Signal has seen its user base grow since then, WhatsApp continues to remain the most popular messaging service around the world. While neither company has disclosed any official figure, Signal reportedly has around 40 million monthly active users globally as compared to WhatsApp -- around 2.2 billion.
Signal’s support statement added that it has been reaching out to the 1,900 users who may have seen their accounts being compromised due to this issue. The company further claimed that only one of the users may have faced a possible data loss.
“Among the 1,900 phone numbers, the attacker explicitly searched for three numbers, and we’ve received a report from one of those three users that their account was re-registered,” Signal’s blog post read.
The attack has been resolved, Signal and Twilio confirmed.