Secure communications services provider Signal on Monday disclosed impact from the recent Twilio hack, after threat actors attempted to re-register the phone numbers of some of its users to new devices.
Earlier this month, enterprise software vendor Twilio announced that it fell victim to a cyberattack, after threat actors tricked one of its employees into revealing their login credentials.
Armed with the employee’s credentials, the threat actor accessed internal systems that contained customer data. Overall, the data of 125 customers was impacted in the incident, Twilio said on Wednesday.
“There is no evidence that customer passwords, authentication tokens, or API keys were accessed without authorization,” the company said.
The enterprise communication API powerhouse also said that it has improved the security of internal systems, and that the threat actors are relentless in their social engineering attempts.
Signal, which contracted Twilio for phone number verification services, is one of the customers impacted by the incident.
In an August 15 notice, the secure messaging company announced that, after gaining access to Twilio’s customer support console, the attackers attempted to re-register the phone numbers of certain Signal users to new devices, or accessed their Signal SMS verification code.
“During the window when an attacker had access to Twilio’s customer support systems it was possible for them to attempt to register the phone numbers they accessed to another device using the SMS verification code. The attacker no longer has this access, and the attack has been shut down by Twilio,” Signal announced.
The company also notes that the incident impacted roughly 1,900 of its users, and that the attackers did not have access to users’ contact list, message history, profile information, list of blocked numbers, or other personal information.
“Message history is stored only on your device and Signal does not keep a copy of it. Your contact lists, profile information, whom you’ve blocked, and more can only be recovered with your Signal PIN which was not (and could not be) accessed as part of this incident,” Signal notes.
The company also points out that the attackers were able to send and receive Signal messages on behalf of the impacted users after registering their accounts to new devices. Signal says that the attackers specifically searched for three numbers – out of the total 1,900 – and that they re-registered at least one.
Signal says it’s in the process of alerting potentially impacted users via SMS. For all 1,900 accounts, the company has unregistered all devices and is asking users to re-register them.
The secure communications firm is encouraging users to enable ‘registration lock’ on their accounts, a feature that adds an extra layer of protection to accounts, preventing this kind of telecom attacks.