A phishing attack on communications giant Twilio led to a Signal privacy compromise for around 1,900 users. Their phone numbers were exposed, along with SMS verification codes that would allow an attacker to register accounts to a new device …
Background
Twilio provides a range of services to app developers, including the provision of voice and SMS functionality. In Signal’s case, the secure messaging app used Twilio to verify the phone numbers of new users.
Twilio revealed last week that it had fallen victim to a phishing attack, allowing an attacker to access customer accounts.
On August 4, 2022, Twilio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials. This broad based attack against our employee base succeeded in fooling some employees into providing their credentials. The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data. We continue to notify and are working directly with customers who were affected by this incident. We are still early in our investigation, which is ongoing.
It was an embarrassing security failure given that the phishing appeared to be nothing more than an extremely unsophisticated text message claiming that Twilio employees needed to change their password.
Notice! <Account> login has expired. Please tap twilio-sso.com to update your password!
Impact on Signal privacy
Signal’s use of Twilio for phone number verification meant that some user phone numbers were exposed. In some cases, the attacker attempted to re-register their phone number to another device.
The company disclosed this in a blog post, and said that it was contacting affected users.
For about 1,900 users, an attacker could have attempted to re-register their number to another device or learned that their number was registered to Signal. This attack has since been shut down by Twilio. 1,900 users is a very small percentage of Signal’s total users, meaning that most were not affected.
We are notifying these 1,900 users directly, and prompting them to re-register Signal on their devices.
Because the attacker could also access SMS 2FA codes for those phone numbers, this would give them the ability to register the account to a new device. It is not clear whether this actually happened.
An attacker gained access to Twilio’s customer support console via phishing. For approximately 1,900 users, either 1) their phone numbers were potentially revealed as being registered to a Signal account, or 2) the SMS verification code used to register with Signal was revealed.
During the window when an attacker had access to Twilio’s customer support systems it was possible for them to attempt to register the phone numbers they accessed to another device using the SMS verification code. The attacker no longer has this access, and the attack has been shut down by Twilio.
The company was careful to stress that no messages or other personal data were exposed.
All users can rest assured that their message history, contact lists, profile information, whom they’d blocked, and other personal data remain private and secure and were not affected.
In the unlikely event that your Signal account was affected, the company will text you no later than the end of today, asking you to re-register. This should be done in the Signal app; you should of course never click on any link in an unexpected text message, a lesson it seems some Twilio employees need to learn.
Also last week, Twitter finally confirmed that account details were exposed by an attacker taking advantage of a vulnerability discovered back in January.
FTC: We use income earning auto affiliate links. More.
Comments