I disagree. They would not need to access the full contents of outgoing SMS to perform this duty. For example they could see the auth codes masked.

How would Twilio know what portion of the outgoing SMS was auth codes?

Are you proposing they add an API where senders can annotate part of their message as private? (Not a bad idea...)

Are you familiar with their API? We use their SMS auth service at my employer. Twilio is the one composing the outbound message including auth code. The API caller is not providing Twilio with an auth code and phone number. Twilio 100% knows which portion of the outgoing SMS is the auth code.

sorry, not familiar with an Auth API. About 5 years ago I worked at a company that used their API, but we just used it as a service for sending texts to specific numbers. (And mostly we used different services, because it was more expensive than our other options)

Do we know that Signal was using the Twilio Auth product and not something custom on top of Twilio?

We do know. Check the texts you’ve gotten while signing into Signal. You’ll notice that they originate from short codes (like 22395) that are also used by other services like Discord, square pay, just to name two.

Furthermore, it still doesn’t matter whether Signal was using their authy service or not. There should be very tight data controls at Twilio where few employees would ever be able to retrieve clear text messages being sent to end users.

This incident is not getting nearly the attention it should imho.

Wouldn't the spammers then just mark 100% of their spam as private?

grep [0-9]+ should cover enough of the problem space.