The phone numbers of 1,900 users of encrypted messaging service Signal may have been made public in a phishing assault earlier this month on Twilio Inc, its provider of verification services, according to Signal.
The business claimed in a blog post on Monday that the attacker might also have gotten the SMS verification code needed to register with Signal, although message history, profile details, and contact lists were not exposed.
According to the statement, “An attacker may have attempted to re-register the number to another device or discovered that the number was registered to Signal.”
Twilio said it has been collaborating with Signal to support their investigation since it first made the hack public earlier this month.