Messaging service provider Signal said the phone numbers of 1,900 users could have been revealed in a phishing attack on Twilio, its verification services provider, earlier this month.
The attacker could have accessed the SMS verification code used to register with Signal, but message history, profile information and contact lists were not revealed.
Signal said an attacker could have attempted to re-register number to another device or learned that their number was registered to Signal.
Twilio, which disclosed the attack earlier this month, said it has been working together with Signal to help their investigation.
The San Francisco, California-based Twilio has over 256,000 businesses, including Ford Motor, Mercado Libre and HSBC, among its customers.