Around 1,900 users of Signal had their phone numbers exposed via a Twilio breach
Signal has disclosed that a massive Twilio phishing attack disclosed the phone numbers of 1,900 of its users.
As detailed via an official support article, phone numbers and SMS codes for 1,900 users were exposed. The article states the following:
"All users can rest assured that their message history, contact lists, profile information, whom they'd blocked, and other personal data remain private and secure and were not affected."
This means, on the bright side, the private contents exchanged on Signal weren't leaked due to the Twilio attack. However, their phone numbers could have been reregistered to other devices without their consent. In order to counter this, the 1,900 impacted users were contacted by Signal directly and required to reregister. This notification process is set to be completed by August 16th.
To counter vulnerabilities from attacks like this in the future, Signal is "working with Twilio and potentially other providers to tighten up their security where it matters for our users." It recommends everyone that uses Signal to set up the registration lock.