Signal uses a third party company, Twilio, for phone number verification services. Twilio’s customer support console was apparently maliciously accessed through a sophisticated social engineering attack. The attackers were able to steal employee credentials, and used it to access the support console. – Twilio Blog on the Recent Attack Twilio initially claimed that 125 of their customers were affected by the phishing attack. But Signal in a recent follow-up claimed that approximately 1,900 of their users were affected. For the 1900 users, their phone numbers could have been potentially revealed as being tied to a signal account, and even the SMS verification codes used for that registration. Signal also revealed that among the 1900 phone numbers, the attackers explicitly searched for three numbers, with one of user accounts being re-registered. Thankfully, that is the full extent of the recent phishing attack, and the attackers didn’t have any access to any message history, profile information, or contact lists. Signal is meanwhile notifying all the potentially affected users directly through SMS. For everyone else, Signal highly recommends turning on registration lock from their signal account.