Last week, hackers broke into the systems of Twilio, a cloud communications company that provides infrastructure to other companies to automate sending text messages to their users. By breaking into Twilio systems hackers could read victims’ text messages. This potentially gave the hackers a chance to take over any victim’s accounts that were tied to their phone number on services that use Twilio.
Crucially, Twilio provides text verification services for the encrypted messaging app Signal. When a user registers their phone number with Signal, Twilio sends them an SMS containing a verification code, which they then input to Signal. On Monday, Signal, which uses Twilio for delivering text messages with verification codes, disclosed that it was one of the targets of this attack. In particular, Signal said that hackers targeted around 1,900 of its users. This means that for those users, the hackers could have registered their numbers on their own device and essentially impersonated them, or intercepted the SMS verification code that Signal uses to register users.