We took these steps to protect affected users: However in the case that an attacker was able to re-register an account, they could send and receive Signal messages from that phone number. Your contact lists, profile information, whom you’ve blocked, and more can only be recovered with your Signal PIN which was not (and could not be) accessed as part of this incident. Message history is stored only on your device and Signal does not keep a copy of it. Importantly, this did not give the attacker access to any message history, profile information, or contact lists.
Among the 1,900 phone numbers, the attacker explicitly searched for three numbers, and we’ve received a report from one of those three users that their account was re-registered.The attacker no longer has this access, and the attack has been shut down by Twilio. During the window when an attacker had access to Twilio’s customer support systems it was possible for them to attempt to register the phone numbers they accessed to another device using the SMS verification code.For approximately 1,900 users, either 1) their phone numbers were potentially revealed as being registered to a Signal account, or 2) the SMS verification code used to register with Signal was revealed. An attacker gained access to Twilio’s customer support console via phishing.We conducted an investigation into the incident and determined the following. Twilio, the company that provides Signal with phone number verification services, notified us that they had suffered a phishing attack. We created this feature to protect users against threats like the Twilio attack. To best protect your account, we strongly recommend that you enable registration lock in the app’s Settings.Open Signal on your phone and register your Signal account again if the app prompts you to do so.If you received an SMS message from Signal with a link to this support article, please follow these steps: We notified these 1,900 users directly, and prompted them to re-register Signal on their devices. 1,900 users is a very small percentage of Signal’s total users, meaning that most were not affected. This attack has since been shut down by Twilio. For about 1,900 users, an attacker could have attempted to re-register their number to another device or learned that their number was registered to Signal.All users can rest assured that their message history, contact lists, profile information, whom they'd blocked, and other personal data remain private and secure and were not affected.In the summer of 2022, Twilio, the company that provides Signal with phone number verification services, suffered a phishing attack.
0 kommentar(er)
