Signal warns of phishing campaign targeting user backup keys
A new wave of attacks aims to compromise Signal’s Secure Backups feature, with reports indicating targets include anti-CCP activists and others, though the full scope remains unclear.
Hackers have launched a coordinated phishing campaign targeting Signal users, attempting to steal the secret recovery keys required to access encrypted chat backups. The fraudulent messages, which impersonate the application’s support team, warn recipients that their backed-up chats and media are at risk of permanent loss due to a sync issue. To prevent this, the messages urge users to share their recovery key within the chat interface.
Washington Post analyst Josh Rogin highlighted the campaign on Wednesday by sharing a screenshot of the attack. The message, purporting to come from an account labelled “Signal Support,” stated that linking the backup to the account was essential to avoid losing access to stored data. Rogin noted that several anti-Chinese Communist Party activists had received the malicious message, urging them to remain vigilant.
Mohammed Al-Maskati, director at Access Now’s Digital Security Helpline, confirmed to TechCrunch that two individuals had received similar messages. Al-Maskati clarified that these recipients were not Chinese activists, suggesting the campaign may be more widespread than initially thought or that multiple distinct hacker groups are employing the same strategy. The full scope and effectiveness of the attack remain unclear, and it is not yet confirmed whether any recovery keys have been successfully stolen.
This campaign specifically targets the Secure Backups feature launched by Signal last year, which allows users to upload encrypted account contents to Signal’s servers. Unlike previous hacking campaigns that focused on hijacking phone numbers to re-register accounts on new devices, this method aims to access historical data, including older chats, photos, and documents. Previous attacks typically did not grant access to past messages due to Signal’s design, as older messages do not appear on a newly registered device.
Signal has repeatedly warned that it will never contact users first, nor will it ask for registration codes, PINs, or recovery keys. The organisation states that the recovery key is never shared with Signal’s servers and never leaves the user’s device. Without the unique key, no one, including Signal, can read, decrypt, or restore data in the Secure Backup Archive. Signal did not respond to a request for comment regarding the current wave of attacks.
