Signal's reputation for secure messaging doesn't make it completely invulnerable to hacking incidents. The company has confirmed that a data breach at verification partner Twillio exposed the phone numbers and SMS codes of roughly 1,900 users. As TechCrunch observed, the intruder could have either used the information to either identify Signal users or re-register their numbers to other devices.
The data has already been misused. The culprit searched for three phone numbers, and re-registered the account of one user. Signal doesn't store chat histories or contacts online, so the breach shouldn't have revealed other sensitive details.
Signal is taking steps to limit the damage. It will unregister the app on all devices linked to affected accounts, forcing users to re-register. The team also recommended enabling a registration lock that bars anyone from re-registering on other devices without providing a PIN code.
Twilio revealed the breach on August 8th. The currently unidentified perpetrators used phishing scams to obtain login details and access the accounts of 125 customers. Although it's not clear which other customers were affected, Twilio typically serves large companies and organizations.
The attack increases pressure on Signal to join other encrypted messaging providers in moving away from phone numbers, which can be vulnerable to SIM swaps and other digit-based schemes. This is also a reminder that systems are only as secure as their technology partners — a slip at a third-party is sometimes as dangerous as a direct assault.