On Monday, Signal announced it has alerted 1,900 users that their accounts were potentially revealed to whoever hacked Twilio- a gateway that helps web platforms communicate over SMS or voice.
Signal said that the attackers searched for three specific numbers during the time they had access, and added that it has heard from one of those three users that the attackers used their Twilio access to re-register a new device associated with their number, which would allow them to send and receive messages from that account.
This being said, Signal added, “message history, contact lists, profile information, whom they’d blocked, and other personal data” for all users remained secure. However, if someone was among the users potentially revealed, and they don’t use Signal’s Registration Lock setting that requires their PIN to add a new device, then an attacker could’ve re-registered their account.
Signal is currently sending messages with a link to its support page for potentially affected accounts, as well as unregistering all devices connected to those accounts, and said it will be done with this process by today.