Signal, the secure messaging app, has been hit by a hack that leaked its users phone numbers.
The attack means that 1,900 users have been compromised, with their phone numbers and SMS codes exposed. That means that hackers could potentially register those accounts onto a new device.
The hack is of particular concern to Signal, given that it is intended as a private messaging app and is regularly recommended for use by people whose messages need to stay especially secure.
The attack was not conducted directly on Signal, but rather on Twilio, a separate company that provides services to developers. Signal uses its services to verify users’ phone numbers when they sign up.
Last week, Twilio announced that it had been hacked, with attackers breaching its internal systems and accessing customer data. Signal was one of those customers, and so its users were caught up in the attack.
The hacker appeared to try and look for three accounts, and successfully re-registered one of them.
Signal says that it has now revoked the attackers’ access, that the hack has been shut down by Twilio, and that any affected users will be notified. Those that may have been caught up in the attack will receive text messages telling them to register their account again, and their accounts will be unregistered on any devices they are using.
The company also advised users to enable the “registration lock” feature that can be found in settings. That is intended to explicitly protect against such attacks – but it must be opted into manually.
It said that some of the problem is a result of vulnerability in the telecom system, used to send text messages and phone calls, which is still used to verify phone numbers on Signal. “While we don’t have the ability to directly fix the issues affecting the telecom ecosystem, we will be working with Twilio and potentially other providers to tighten up their security where it matters for our users,” it said in an announcement.
The hack did not mean that the attacker got access to message history, profile information or contact lists, Signal advised. Likewise, message history is stored on specific devices, so that even if an account was re-registered they would have stayed secure.
However, an attacker would have been able to send and receive new messages, from someone else’s number, if their details were caught up in the attack.