If you are asking around for a privacy first instant messenger recommendation, you would hear the name Signal a lot. Signal is an open source end-to-end encrypted messaging app, recommended by the likes of Elon Musk and Edward Snowden. Alas! nothing is yet so safe on the internet as Signal users recently suffered from a phishing attack.
More specifically, current and former employees recently reported receiving text messages purporting to be from our IT department. Typical text bodies suggested that the employee’s passwords had expired, or that their schedule had changed, and that they needed to log in to a URL the attacker controls. The URLs used words including “Twilio,” “Okta,” and “SSO” to try and trick users to click on a link taking them to a landing page that impersonated Twilio’s sign-in page.
– Twilio Blog on the Recent Attack
Signal uses a third party company, Twilio, for phone number verification services. Twilio’s customer support console was apparently maliciously accessed through a sophisticated social engineering attack. The attackers were able to steal employee credentials, and used it to access the support console.
Twilio initially claimed that 125 of their customers were affected by the phishing attack. But Signal in a recent follow-up claimed that approximately 1,900 of their users were affected. For the 1900 users, their phone numbers could have been potentially revealed as being tied to a signal account, and even the SMS verification codes used for that registration.
Signal also revealed that among the 1900 phone numbers, the attackers explicitly searched for three numbers, with one of user accounts being re-registered. Thankfully, that is the full extent of the recent phishing attack, and the attackers didn’t have any access to any message history, profile information, or contact lists.
Signal is meanwhile notifying all the potentially affected users directly through SMS. For everyone else, Signal highly recommends turning on registration lock from their signal account.