Encrypted messaging app Signal has alerted its users that Twilio, the company behind providing Signal with phone number verification services has been hit by a phishing attack. Signal has alerted almost 2,000 of its users that their accounts were exposed to Twilio attackers and that they were looking for three specific numbers during the time they had access to the accounts.


The phishing attacker who targeted Twilio has no longer access to the accounts and the attack has been shut down by the company.


"For about 1,900 users, an attacker could have attempted to re-register their number to another device or learned that their number was registered to Signal. This attack has since been shut down by Twilio. 1,900 users is a very small percentage of Signal’s total users, meaning that most were not affected," Signal said in a statement. 


The encrypted messaging platform also assured its users that their message history, contact lists, profile information, and users they'd blocked, among other personal data remain private and secure and were not affected by the attackers who targeted Twilio.


"The kind of telecom attack suffered by Twilio is a vulnerability that Signal developed features like registration lock and Signal PINs to protect against. We strongly encourage users to enable registration lock. While we don’t have the ability to directly fix the issues affecting the telecom ecosystem, we will be working with Twilio and potentially other providers to tighten up their security where it matters for our users," Signal added.


Signal mentioned that it was notifying the 1,900 affected users directly, and prompting them to re-register Signal on their devices. If you received an SMS message from Signal with a link to this support article, please follow these steps:



  • Open Signal on your phone and register your Signal account again if the app prompts you to do so.

  • To best protect your account, Signal recommends that you enable registration lock in the app’s Settings.

  •