16 August 2022

NEWS on The Verge

 ABOUT THE VERGE: The Verge is an ambitious multimedia effort founded in 2011 to examine how technology will change life in the future for a massive mainstream audience.

Our original editorial insight was that technology had migrated from the far fringes of the culture to the absolute center as mobile technology created a new generation of digital consumers. Now, we live in a dazzling world of screens that has ushered in revolutions in media, transportation, and science. The future is arriving faster than ever.

Got a tip for us? Here's how to send it securely.

Signal alerts 1,900 messaging users to a security threat from Twilio hackers

The attackers used their access to pull up three specific numbers

In this photo illustration the Whatsapp, Telegram, Signal,...Photo Illustration by Rafael Henrique / SOPA Images / LightRocket via Getty Images

data breach earlier this month affecting Twilio, a gateway that helps web platforms communicate over SMS or voice, may have had repercussions for users of Signal, the encrypted messaging platform. Today, Signal announced it has alerted 1,900 users that their accounts were potentially revealed to whoever hacked Twilio and said that the attackers searched for three specific numbers during the time they had access.

So far, Signal says it has heard from one of those three users that the attackers used their Twilio access to re-register a new device associated with their number, which would allow them to send and receive messages from that account.

According to Signal, “message history, contact lists, profile information, whom they’d blocked, and other personal data” for all users remained secure. However, if someone was among the users potentially revealed, and they don’t use Signal’s Registration Lock setting that requires their PIN to add a new device, then an attacker could’ve re-registered their account.

Signal is sending messages with a link to its support page for potentially affected accounts, as well as unregistering all devices connected to those accounts, and said it will be done with this process by tomorrow.

Summary

Recently Twilio, the company that provides Signal with phone number verification services, suffered a phishing attack. Here’s what our users need to know:

All users can rest assured that their message history, contact lists, profile information, whom they’d blocked, and other personal data remain private and secure and were not affected.

For about 1,900 users, an attacker could have attempted to re-register their number to another device or learned that their number was registered to Signal. This attack has since been shut down by Twilio. 1,900 users is a very small percentage of Signal’s total users, meaning that most were not affected.

We are notifying these 1,900 users directly, and prompting them to re-register Signal on their devices. If you received an SMS message from Signal with a link to this support article, please follow these steps:

Open Signal on your phone and register your Signal account again if the app prompts you to do so.

To best protect your account, we strongly recommend that you enable registration lock in the app’s Settings. We created this feature to protect users against threats like the Twilio attack.

No comments:

The Resistance Is Not Coming to Save You. It’s Tuning Out

The Resistance Is Not Coming to Save You. It’s Tuning Out. COLUMN | CAPITAL CITY By  Michael Schaffer