Understanding the Twilio Incident and Its Impact on Signal

Applies to: Signal Private Messenger users
Last updated: September 2025

---

Problem

In August 2022, cloud communications company Twilio suffered a security breach. Twilio provides services to many apps, including Signal, which relies on Twilio for SMS verification during account registration and number changes.

The breach raised concerns about whether Signal users’ private messages and contacts were exposed, and what steps affected users needed to take to secure their accounts.

---

What Happened

• Attackers used a phishing campaign to gain access to Twilio employee credentials.
• With this access, they were able to see some customer data, including limited information related to Signal accounts.
• Specifically, attackers could re-register a small number of Signal users’ phone numbers on new devices by intercepting verification codes sent via Twilio.

---

Impact on Signal Users

• Messages and contacts were not exposed. Signal’s end-to-end encryption meant that attackers could not read message history, profile data, or contact lists.
• Around 1,900 Signal accounts were potentially affected by re-registration.
• For those users, an attacker could have temporarily registered their phone number on another device and sent/received Signal messages until the account was secured.

---

Signal’s Response

• Signal contacted all affected users via SMS and in-app alerts.
• The service forced a re-registration of accounts to prevent unauthorized access.
• Users were advised to enable Registration Lock PINs, an extra safeguard that prevents someone from registering your number on a new device without the PIN.

---

Solution for Users

If you use Signal and are worried about similar threats, here’s what to do:

1. Enable Registration Lock
   • Open Signal → Go to Settings > Account > Registration Lock.
   • Set a strong PIN that only you know.
2. Review active devices
   • In Signal, check Linked Devices under settings.
   • Remove any devices you don’t recognize.
3. Stay alert for suspicious activity
   • If you are suddenly logged out, your number may have been re-registered.
   • Immediately re-register your number in Signal.
4. Update apps and OS
   • Keep Signal and your operating system updated for the latest security protections.

---

Optional methods or tools

• Two-factor authentication on your mobile account: Prevents SIM-swap attacks that could be used alongside breaches.
• PIN manager apps: Help you remember your Registration Lock PIN securely.

---

Best Practices & Tips

• Always use Registration Lock to prevent unauthorized re-registration.
• Treat unexpected verification codes with suspicion — don’t share them.
• Follow Signal’s blog and support channels for official updates on security incidents.
• Remember: Even when services Signal depends on are breached, end-to-end encryption protects your private messages.