Signal revealed the phone numbers and SMS codes of 1900 users could have been breached in a phishing attack on Twilio, the verification services provider for the encrypted messaging app, earlier this month.
As per reports, hackers might have accessed the data of countable customers after successfully phishing multiple employees. Twilio did not reveal the identification of the victims, but are likely to include large organizations including Signal.
Signal claims that the attackers might not get the message history that the app does not store, or information that are secured through PIN, but “in the case that an attacker was able to re-register an account, they could send and receive Signal messages from that phone number.”
Signal also said that for the affected accounts it will unregister Signal on all devices that the users are currently using or the attacker might have registered on, and will require users to re-register Signal with their active phone number on their preferred device.
Signal assures users that it is working closely with Twilio on the investigation, and stronger security updates.