Signal's encryption held — but a vendor breach still exposed users because accounts are tied to phone numbers
In August 2022, a phishing attack on Signal's SMS-verification vendor Twilio exposed the phone numbers of about 1,900 Signal users. No message contents were touched — the weakness was the phone number itself.
01What actually happened
An attacker phished an employee of Twilio, the vendor Signal used to send SMS verification codes. For roughly 1,900 Signal users, the attacker could have learned that their phone number was registered to Signal, or could have used a leaked verification code to re-register that number to a new device. Signal confirmed that message history, contacts, profile data, and other personal information were not exposed, and that the encryption itself was not compromised.
02Why it matters
Even a famously secure app can leak who you are when identity is anchored to a phone number routed through third-party telecom vendors. Cipher requires no phone number, so there is no SMS-verification vendor to breach and no number that can be enumerated or hijacked.
Sources
- TechCrunch · Aug 2022Signal says 1,900 users' phone numbers exposed by Twilio breach
- Signal Support · Aug 2022Twilio Incident: What Signal Users Need to Know
We describe only what these sources report. If you think we've framed something inaccurately, tell us — accuracy is the whole point.
Cipher is built for exactly this gap: zero-access encryption, no phone number, on-device AI, and minimal metadata — so the failure in this story can't happen the same way.
See how the architecture works