If you are a Signal messenger user: there has been a breach, so please enable “Registration Lock” in the mobile app to protect your account
Posted by jpluimers on 2022/08/29
For Signal messenger users: please visit [Wayback/Archive] Signal PIN: manage Registration Lock – Signal Support then enable it on your mobile phone.
The breach: [Wayback/Archive] Twilio attacker ‘explicitly’ looked for 3 Signal numbers • The Register
However, Signal – considered one of the better secured of all the encrypted messaging apps – claims the attacker would not have been able to access the message history, contact lists, profile information, or other personal data associated with these user accounts. The non-profit organization said in a security note on its site that it has identified and is notifying the 1,900 users directly, and prompting them to re-register Signal on their devices.
The underlying Twilio breach: [Wayback/Archive] Twilio Incident Report: Employee and Customer Account Compromise – August 4, 2022
The Signal announcement: [Wayback/Archive] Twilio Incident: What Signal Users Need to Know – Signal Support
To best protect your account, we strongly recommend that you enable registration lock in the app’s Settings. We created this feature to protect users against threats like the Twilio attack.
The Twitter thread is saved at [Wayback/Archive] Thread by @signalapp on Thread Reader App; highlights:
- [Wayback/Archive] Signal on Twitter: “Recently @twilio, which provides SMS verification services for Signal, suffered a phishing attack. Via Twilio, attackers may have accessed phone numbers & SMS registration codes for 1,900 Signal users. 1/” / Twitter
- [Wayback/Archive] Signal on Twitter: “Our registration lock function protects against these kinds of attacks. Enable registration lock by going into your Settings >> Account >> Registration Lock.
support.signal.org/hc/en-us/articles/360007059792-Signal-PIN#manage_registration_lock“
Via:
- [Wayback/Archive] John Scott-Railton on Twitter: “PSA: Do you use Signal? Turn on registration lock today. Here’s why… 1/ “
- [Wayback/Archive] John Scott-Railton on Twitter: “2/ @twilio handles SMS registrations for @signalapp. They got targeted w/a phishing attack. Attackers then used their access against some @signalapp users. …& a bunch of other Twilio customers (editorial: yikes, more disclosures likely inbound).”
–jeroen
The Wiert Corner - irregular stream of stuff 
Leave a Reply