Signal User Phone Numbers Are Exposed as Phishing Attack Hits Telecom Company

19 Aug 2022

Signal User Phone Numbers Are Exposed as Phishing Attack Hits Telecom Company

Twilio, a cloud-based communications company that offers the infrastructure for businesses to automate text message delivery to their customers, was compromised by hackers last week.

By hacking into Twilio’s internal networks, hackers could gain access to victims' accounts on Twilio services that were linked to their phone numbers. Cybercriminals may also have been able to read victims’ text messages.

As a result of the attack, the privacy of Signal’s users has suffered because Signal is one of Twilio’s many clients: Signal uses Twilio to send SMS verification codes to users who sign up for the app.

What happened and why the attack, which affected 1,900 Signal users, was possible, we will try to understand in this blog post.

How Fraudsters Orchestrated the Attack

As mentioned earlier, Twilio provides a text verification service. In our case, when a user registers his or her phone number with Signal, Twilio sends them an SMS with a verification code, which they then enter into the app.

Although Twilio has not provided a detailed technical explanation for the incident, it is currently known that an investigation is underway.

Nevertheless, in the recently published incident report, Twilio stated that the cause of the breach was caused by "unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials."

This attack resulted in employees being tricked into giving away their security credentials. That was then when it became clear that this was a well-organized and targeted phishing attack (that’s for sure because the scammers knew exactly who to send the message to.)

Staff members received messages allegedly from Twilio’s IT department. These messages contained “standard phrases” and a link urging them to change their login passwords since their current ones had expired.

The unsuspecting employees clicked on the link that took them to the fake Twilio’s sign-in page… What happened afterward, we already know.

The attackers then utilized the stolen employee credentials to access some internal Twilio systems, including client’s data.

Interestingly enough though, unidentified threat actors used this access to specifically look up three phone numbers of Signal users, and then re-registered those accounts in the messaging app on new devices.

The re-registration, in turn, allowed the criminals to send and receive messages from those phone numbers. This meant that the hackers could impersonate the affected numbers by sending messages to other people.

StealthTalk Security Tip. To protect your phone number from a SIM SWAP attack and your StealthTalk account from unauthorized access, StealthTalk's leading cybersecurity team has added the Account Takeover Prevention feature to the messenger. It tracks unauthorized attempts to register your number, which you use for a StealthTalk account, on a new device and offers to block it. 

At the same time, Signal points out that the hack did not mean that attackers gained access to message history, message content, contacts lists, profile information, and other personal data.

Precautions for Mitigating Security Risks After The Event: What Has Been Done

This incident has explicitly demonstrated that sensitive information leaks through human error have gone nowhere; and unfortunately, so have the perpetrators who use it in targeted attacks.

Still, what steps should be taken if an incident did occur? Here's what Signal and Twilio did.

First, Twilio’s “security team revoked access to the compromised employee accounts to mitigate the attack”.

Second, Signal notified those 1,900 users whose phone numbers have been caught up in the attack. They sent text messages forcing them to re-register their account again because Signal had unregistered them on any devices they were using.

Communicating and keeping in touch with people about what happened are key components of post-incident episodes.

But not just that.

It’s crucial to remember that each one of us is responsible for our own digital security and privacy online.

That's why incidents like the Twilio/Signal hack must also serve as a reminder of how it is extremely important to enable every security feature possible if you’re striving for ultimate privacy in secure messaging.


If you are an individual or a business user looking for professional secure communication to protect your own privacy or that of your clients, try StealthTalk.

Designed to meet the high security requirements of business professionals, StealthTalk will help you keep critical operations confidential and protect you against sophisticated cyberattacks, including wiretapping, man-in-the-middle, SIM-card spoofing and others.Download the app for Android or iOS and enjoy your privacy today. StealthTalk is your next generation secure communication channel!

subscribe to our blog