Signal hack: Private messaging services hit by hack, leaking users’ phone numbers
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.Signal, the secure messaging app, has been hit by a hack that leaked its users phone numbers.
The attack means that 1,900 users have been compromised, with their phone numbers and SMS codes exposed. That means that hackers could potentially register those accounts onto a new device.
The hack is of particular concern to Signal, given that it is intended as a private messaging app and is regularly recommended for use by people whose messages need to stay especially secure.
The attack was not conducted directly on Signal, but rather on Twilio, a separate company that provides services to developers. Signal uses its services to verify users’ phone numbers when they sign up.
Last week, Twilio announced that it had been hacked, with attackers breaching its internal systems and accessing customer data. Signal was one of those customers, and so its users were caught up in the attack.
The hacker appeared to try and look for three accounts, and successfully re-registered one of them.
Signal says that it has now revoked the attackers’ access, that the hack has been shut down by Twilio, and that any affected users will be notified. Those that may have been caught up in the attack will receive text messages telling them to register their account again, and their accounts will be unregistered on any devices they are using.
The company also advised users to enable the “registration lock” feature that can be found in settings. That is intended to explicitly protect against such attacks – but it must be opted into manually.
It said that some of the problem is a result of vulnerability in the telecom system, used to send text messages and phone calls, which is still used to verify phone numbers on Signal. “While we don’t have the ability to directly fix the issues affecting the telecom ecosystem, we will be working with Twilio and potentially other providers to tighten up their security where it matters for our users,” it said in an announcement.
The hack did not mean that the attacker got access to message history, profile information or contact lists, Signal advised. Likewise, message history is stored on specific devices, so that even if an account was re-registered they would have stayed secure.
However, an attacker would have been able to send and receive new messages, from someone else’s number, if their details were caught up in the attack.
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies
Comments