Hackers could have obtained 1,900 Signal users' numbers, Signal warns affected users what to do
Earlier this month, there was a security breach that affected Twilio (a platform that helps web plafroms communicate over SMS or voice), and encrypted-chat app Signal is now warning all of the 1,900 users who may have been affected, reports The Verge. Signal says there is a possibility the attackers who hacked Twilio to re-register a new device associated with an affected user's number.
Signal said that one of those three users whose numbers were searched for reported to Signal that the attackers used their number to re-register a new device. This way, an attacker can use someone else's number to send and receive messages.
Signal is sending messages with a link to its support page for the accounts that were potentially affected. There, you (in case you're one of those 1,900 people, a small percentage of Signal's users) can see how to enable Registration Lock to ensure nobody can use your number to re-register it with Signal. Another part of the message for those 1,900 users is how to re-register their phone numbers again.
Here's how to set up Registration Lock for your Signal:
If you forget your PIN, you may be locked out of your account for up to 7 days, and remember that Signal cannot reset the PIN for you. So, when enabling this, make sure you remember your PIN code.
Signal warns 1,900 users to enable Registration Lock
Signal announced that it has alarted all the users that had their accounts potentially revealed to the hackers that attacked Twilio. Twilio basically provides Signal with SMS phone number verification services. Additionally, Signal stated the attackers were searching for three specific numbers during the time they had access before Twilio kicked them out.
Signal said that one of those three users whose numbers were searched for reported to Signal that the attackers used their number to re-register a new device. This way, an attacker can use someone else's number to send and receive messages.
However, worry not - message history, contact lists, profile information or blocked people, and any other personal data has remained secure for all users.
We have identified and are contacting the 1,900 potentially affected users. We are prompting them to re-register their Signal numbers and encouraging them to enable registration lock. We are also working with Twilio to ensure they upgrade their security practices. 3/
— Signal (@signalapp) August 15, 2022
Registration Lock is a feature that can be helpful to anyone, and it is created just for attacks like the one that happened with Twilio. Basically, it requires your PIN code to register your number again with Signal. This way, if an attacker has managed to obtain your phone number, they cannot register it without your PIN code.
- Go to Signal Settings > Account > Registration Lock
- There, you can enable or disable it (this can only be modified on your phone)
If you forget your PIN, you may be locked out of your account for up to 7 days, and remember that Signal cannot reset the PIN for you. So, when enabling this, make sure you remember your PIN code.
Things that are NOT allowed: