Our great sponsors
-
Signal-Server
Server supporting the Signal Private Messenger applications on Android, Desktop, and iOS
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
All of that means that, theoretically, if the Signal server that manages group information (storage-service) is malicious, or someone gains access to the server, without any more information they normally can’t access group metadata.
So phone numbers are not part of group metadata and can’t be accessed directly even if someone gets access to the groups server. However, because (as far as I know) the server still has a 1:1 mapping of UUID <-> phone number that it knows, then if the malicious actor has access to the main Signal server, they’d be able to access the phone numbers of members as well.