Twilio Hack May Have Compromised 1,900 Signal Messenger Accounts

Bitdefender Premium Security India


The attack on Twilio earlier this month may have compromised the phone numbers of approximately 1,900 Signal messenger users, according to the popular encrypted messaging service.

During the cyberattack that targeted Twilio, perpetrators allegedly attempted to re-register Signal users’ phone numbers to other devices. However, the company is confident that the incident didn’t affect personal data.

“For about 1,900 users, an attacker could have attempted to re-register their number to another device or learned that their number was registered to Signal,” reads the company’s security advisory. “All users can rest assured that their message history, contact lists, profile information, whom they’d blocked, and other personal data remain private and secure and were not affected.”

Furthermore, the attack didn’t compromise the Signal PIN, which is used in non-phone-number-based operations such as recovering profiles, settings, contacts and block lists. The PIN also acts as an optional registration lock that prevents others from fraudulently registering your number.

The company is taking steps to protect affected users by unregistering Signal on all devices currently using the compromised accounts and notifying customers directly via SMS. Signal prompts users to re-register the service with their phone number if asked to do so and enable registration lock, an additional security measure against fraudulent registration attempts.

Accounts that use this security feature require a PIN to re-register the phone number with Signal. Users can toggle Registration Lock by following these steps:

  1. Launch Signal on your device
  2. Tap the kebab (three vertical dots) button
  3. Go to Settings > Account
  4. Toggle the Registration Lock switch on
  5. Tap the Turn On button to confirm your action
  6. Configure your pin (no-limit, alphanumeric characters)

Note that forgetting your PIN could lock you out of your account for up to seven days, and Signal can’t reset it for you. However, the service has a built-in reminder that asks you periodically to confirm your PIN, to help you memorize it.

Specialized software such as Bitdefender Digital Identity Protection can help keep your identity safe against the influx of data breaches with features like:

  • Providing you with an overview of your digital footprint
  • Monitoring public and Dark Web sources for breaches that could compromise your identity
  • Specific, one-click actions to address data leaks