Encrypted messaging service Signal said the phone numbers of 1,900 users could have been revealed in a phishing attack on Twilio Inc, its verification services provider, earlier this month.
The attacker could also have accessed the SMS verification
code used to register with Signal, but message history, profile information and
contact lists were not revealed, the company said in a blog post on Monday.
"An attacker could have attempted to re-register number
to another device or learned that their number was registered to Signal,"
it said.
Twilio, which disclosed the attack earlier this month, said
it has been working together with Signal to help their investigation.
The San Francisco, California-based company counts over
256,000 businesses, including Ford Motor, Mercado Libre, and HSBC, among its
customers.
China recently became a target of a phishing attack when a
hacker claimed to have obtained the personal information of 48.5 million users
of a COVID health mobile app run by the city of Shanghai. This is the second
claim of a breach of the Chinese financial hub's data in just over a month.
The hacker with the username "XJP" posted an offer
to sell the data for $4,000 on the hacker forum Breach Forums last week.
The person provided a sample of the data including the phone
numbers, names, Chinese identification numbers, and health code status of 47
people.
Eleven of the 47 reached by Reuters confirmed they were
listed in the sample, though two said their identification numbers were wrong.
Reuters was unable to further verify the authenticity of the hacker's claim. ©
Reuters