The hackers that breached the cloud communications company Twilio Inc. earlier this month may have exposed the phone numbers of 1,900 users of the encrypted messaging app Signal, the company said today – but that’s about all that the hackers had access to.

Signal assured users that hackers had no access to users’ message history, contact lists, profile information, block lists or any other private or secure information whatsoever.

According to Signal’s security note, those users on its platform have been notified that they have potentially been exposed and their devices have been de-registered from Signal. As a result, they must register them again with Signal if the app prompts them to do so.

Earlier this month, Twilio employees became the target of a “sophisticated social engineering attack,” also described as a phishing attack,” designed to trick employees into giving up their login credentials, that gave hackers access to the company’s internal systems.

Twilio provides communication services for SMS, voice, video and other communication channels for more than 268,000 customers. The company provides SMS services for Signal, which means that during the window of the attack, device verification codes would have been exposed.

According to Signal, once the attackers had access to Twilio’s back-end systems, it would be possible for them to re-register customer phone numbers by transferring the account to a different device under their control by using the SMS verification code. However, Signal also stressed that since Twilio had already stopped the attack, attackers no longer had control of these codes.

“Among the 1,900 phone numbers, the attacker explicitly searched for three numbers, and we’ve received a report from one of those three users that their account was re-registered,” Signal said in the security statement.

By re-registering the Signal account to a different device, the attacker would then be able to send and receive encrypted messages on that user’s account. It would not be possible to read message history, since that is stored only on the device. Contact lists, profile information, block lists and more can be recalled only with the Signal PIN, which cannot be accessed through this sort of incident.

There are no details on the three customers who were explicitly targeted or the one whose account was re-registered.

To add an extra layer of security, Signal is also encouraging users to activate what it calls “registration lock.” This requires a Signal PIN to register a phone number with a new device.

“While we don’t have the ability to directly fix the issues affecting the telecom ecosystem, we will be working with Twilio and potentially other providers to tighten up their security where it matters for our users,” Signal said.

Image: Visual Content/Flickr