Signal, the encrypted messaging service, revealed that a phishing attack on its verification services provider, Twilio Inc, earlier this month, may have exposed the phone numbers of 1,900 users. While the attacker could potentially access the SMS verification code for Signal registration, Signal assured users that message history, profile details, and contact lists remained undisclosed, as stated in a blog post on Monday. The company emphasized that the attacker might have attempted to re-register a number to another device or learned of its association with Signal.
Twilio, which disclosed the attack earlier, has collaborated with Signal in their joint investigation. Headquartered in San Francisco, California, Twilio serves more than 256,000 businesses, including Ford Motor, Mercado Libre, and HSBC.
In a separate incident, China faced a phishing attack targeting a COVID health mobile app in Shanghai, claiming personal information from 48.5 million users. The hacker, known as “XJP,” offered to sell the data for $4,000 on the Breach Forums hacker forum last week. A sample provided by the hacker included phone numbers, names, Chinese identification numbers, and health code statuses of 47 individuals. Reuters verified that 11 of the 47 people confirmed their listing, though two mentioned inaccuracies in their identification numbers. The authenticity of the hacker’s claim could not be further verified by Reuters.
