Signal Phone Numbers Exposed in Twilio Hack
Twilio was hacked earlier this month, and the phone numbers of 1,900 Signal users were exposed:
Here’s what our users need to know:
- All users can rest assured that their message history, contact lists, profile information, whom they’d blocked, and other personal data remain private and secure and were not affected.
- For about 1,900 users, an attacker could have attempted to re-register their number to another device or learned that their number was registered to Signal. This attack has since been shut down by Twilio. 1,900 users is a very small percentage of Signal’s total users, meaning that most were not affected.
We are notifying these 1,900 users directly, and prompting them to re-register Signal on their devices.
If you were not notified, don’t worry about it. But it does bring up the old question: Why does Signal require a phone number to use? It doesn’t have to be that way.
Alan • August 23, 2022 6:54 AM
I’m guessing Signal wants your phone # so they can connect users with each other using the existing contact info on their phones. This allow Signal to show you a list of your existing contacts that are also on Signal, and makes is easier for you to find and communicate with them. Signal also prob has some mechanism of verifying your cell #, which makes it harder for an attacker to impersonate you. If Signal instead used a unique Signal-only user ID, then you would have to txt or email that user ID to each person you wanted to communicate with via Signal, which would then make Signal more vulnerable to impersonation and phishing attacks.