On Monday, popular end-to-end encrypted messaging service Signal disclosed the cyberattack aimed at Twilio earlier this month may have exposed the phone numbers of roughly 1900 users.
Signal said, “for about 1,900 users, an attacker could have attempted to re-register their number to another device or learned that their number was registered to Signal. All users can rest assured that their message history, contact lists, profile information, whom they’d blocked, and other personal data remain private and secure and were not affected.”
The company, which users Twilio to send SMS verification codes to users registering with the app, said it’s in the process of alerting affected customers directly.
Twilio revealed last week that data associated with about 125 customer accounts were accessed by malicious actors through a phishing attack that targeted the company’s employees.
In the case of Signal, the unidentified threat actor is said to have abused the access to explicitly search for three phone numbers, followed by re-registering an account with the messaging platform using one of those numbers, thereby enabling the party to send and receive messages from that phone number.
Signal has also urged customers to enable registration lock, an added security measure that requires the Signal PIN in order to register a phone number with the service.
Social engineering attacks, like phishing, rely on the human factor to be the weakest link in a breach. But the latest incident also shows that third-party vendors are also a risk to companies.
Erfan Shadabi, Cybersecurity Expert at comforte AG, suggests a zero-trust framework may be the key to reducing these sorts of attacks:
“One of the best approaches to mitigate such attacks is to adopt the Zero Trust framework. Zero Trust means you assume you’ve already been breached, provide no implicit trust, verify again and again, and only provide minimal privileges upon successful authentication. Protection methods such as tokenization can complement this framework because by tokenizing sensitive data immediately upon entering the corporate data ecosystem—and then not de-protecting it—people can have minimal or no access to the truly sensitive information while still being able to accomplish tasks (like data analytics). Positive trends such as Zero Trust architectures, supported by more data-centric protection methods (protecting the data itself rather than the borders around it), can really help in the long run.”