Signal is a very popular messaging app, thanks to its end-to-end encryption feature. However, this Monday, they announced in a statement that the hack suffered in Twilio at the beginning of the month affected almost 2,000 Signal accounts. All the details will be disclosed in this article.
Twilio’s hack affects Signal
Earlier this month, the APIs company Twilio suffered a hack, which affected almost 2,000 users on Signal. The latter uses Twilio to send verification SMS when registering in the messaging app, which has always been focused on security, the reason why they use end-to-end encryption. Due to the hack, the phone numbers of nearly 2,000 users have been compromised and exposed.
“For about 1,900 users, an attacker could have attempted to re-register their number to another device or learned that their number was registered to Signal,” the company stated. “All users can rest assured that their message history, contact lists, profile information, whom they’d blocked, and other personal data remain private and secure and were not affected.”
Signal also clarified that it is notifying each user individually, so each one will be able to re-register from their devices. For its part, Twilio clarifies that the hack occurred on August 4, where more than 125 customer accounts were affected due to a phishing attack that tricked workers into giving their credentials.
The strange thing is that with the Signal account, the cybercriminals entered it only to look for 3 specific phone numbers, then used one of these to re-register an account with the messaging service. In this way, they managed to receive and send messages with that number. As part of the recommendations, the messaging company urges its users to activate the registration lock, which requests the Signal PIN to be able to register that device in the account.
This attack demonstrates certain aspects to consider for proper cybersecurity. First, the workers and their human nature are the weakest link in the security chain; as Cloudflare, a web infrastructure provider, demonstrated, it is best for each employee to have a physical security key. This way, the company has managed to prevent attacks that use the same phishing technique that affected Twilio and Signal.
Second, using a third party to offer services or products, in the case of Signal using Twilio’s services, is a weakness for users’ data, so it is better to offer all services without third parties. And lastly, putting all security under a phone number is proving to be one of the best ways to access systems or get credentials, so new ways are currently being sought to eliminate this to safeguard each user’s data.
Keep in touch with our blog to read the latest news and innovations in the cybersecurity world.
Photo by Mika Baumeister on Unsplash.
Facebook: Eagle Tech Corp
LinkedIn: Eagle Tech
YouTube: Eagle Tech Corp