Signal has reported that its verification service, Twilio, suffered from a phishing attack, resulting in a small number of Signal users being affected (1,900). It has confirmed that the attacker could not access to any message history, profile information, or contact lists.

What happened exactly?
Twilio, the company that provides Signal with phone number verification services, notified us that they had suffered a phishing attack. We conducted an investigation into the incident and determined the following.

An attacker gained access to Twilio’s customer support console via phishing. For approximately 1,900 users, either 1) their phone numbers were potentially revealed as being registered to a Signal account, or 2) the SMS verification code used to register with Signal was revealed.
During the window when an attacker had access to Twilio’s customer support systems it was possible for them to attempt to register the phone numbers they accessed to another device using the SMS verification code. The attacker no longer has this access, and the attack has been shut down by Twilio.
Among the 1,900 phone numbers, the attacker explicitly searched for three numbers, and we’ve received a report from one of those three users that their account was re-registered.

Signal says it's contacted the 1,900 users directly.

[support.signal.org...]