Signal Users Targeted in Phishing Campaign Exploiting Backup Recovery Keys
A coordinated phishing campaign is exploiting Signal’s in-app messaging to deceive users into surrendering their backup recovery keys, granting attackers access to years of encrypted conversations. The scheme, first reported in late May 2026, impersonates "Signal Support" with fraudulent messages warning of imminent data loss due to a fabricated "sync issue."
Victims receive direct messages from an unverified account labeled "Signal Support," urging them to act quickly to avoid permanent data loss. The message instructs users to navigate to Signal’s backup settings, copy their recovery key, and paste it into the chat claiming this will "link" their backup. In reality, the key decrypts stored chat histories, allowing attackers to access messages, media, and sensitive documents in plaintext.
Unlike previous attacks that hijacked live accounts via registration codes, this campaign focuses on stealing archived backups, targeting journalists, dissidents, and anti-Chinese Communist Party activists. Security researchers confirm the messages are part of a broader, politically motivated effort, with human rights defenders and civil society groups disproportionately affected.
Signal has reiterated that its official support team will never initiate contact within the app or request recovery keys, PINs, or registration codes. Any such message should be treated as malicious. While Signal’s infrastructure encrypts backups, the recovery key remains the sole decryption method making it a prime target for phishing.
Experts note that backups often contain sensitive historical content assumed to be secure. To mitigate risk, users are advised to enable registration lock, use strong PINs, and monitor device-change alerts. Disappearing messages can also limit exposure by reducing stored data. The campaign underscores the growing sophistication of phishing tactics targeting secure communication tools.
Source: https://gbhackers.com/hackers-target-signal-users/
Signal TPRM report: https://www.rankiteo.com/company/signal-messenger
"id": "sig1780295029",
"linkid": "signal-messenger",
"type": "Cyber Attack",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Journalists, dissidents, '
'anti-Chinese Communist Party '
'activists, human rights '
'defenders, and civil society '
'groups',
'industry': 'Technology/Communications',
'name': 'Signal',
'type': 'Messaging platform'}],
'attack_vector': 'In-app messaging (Signal)',
'customer_advisories': 'Signal advised users to ignore unsolicited messages '
'requesting recovery keys or PINs and to enable '
'additional security measures.',
'data_breach': {'data_encryption': 'Yes (backups encrypted, but recovery key '
'grants access)',
'data_exfiltration': 'Yes (via recovery key decryption)',
'file_types_exposed': ['Messages', 'Media', 'Documents'],
'personally_identifiable_information': 'Yes (chat histories '
'may contain PII)',
'sensitivity_of_data': 'High (personal communications, '
'sensitive documents)',
'type_of_data_compromised': 'Encrypted chat backups '
'(messages, media, documents)'},
'date_detected': '2026-05',
'description': 'A coordinated phishing campaign is exploiting Signal’s in-app '
'messaging to deceive users into surrendering their backup '
'recovery keys, granting attackers access to years of '
"encrypted conversations. The scheme impersonates 'Signal "
"Support' with fraudulent messages warning of imminent data "
"loss due to a fabricated 'sync issue.' Victims are tricked "
'into sharing their recovery keys, which decrypt stored chat '
'histories, allowing attackers to access messages, media, and '
'sensitive documents in plaintext.',
'impact': {'brand_reputation_impact': "Potential erosion of trust in Signal's "
'security',
'data_compromised': 'Encrypted chat histories, messages, media, '
'and sensitive documents',
'identity_theft_risk': 'High (access to sensitive personal '
'communications)',
'systems_affected': 'Signal user accounts (backup recovery keys)'},
'initial_access_broker': {'high_value_targets': 'Journalists, dissidents, '
'anti-Chinese Communist Party '
'activists'},
'lessons_learned': 'The campaign highlights the risks of phishing attacks '
'targeting secure communication tools and the importance '
'of safeguarding backup recovery keys. Users must verify '
'the authenticity of support messages and enable '
'additional security measures like registration lock and '
'strong PINs.',
'motivation': 'Politically motivated (targeting journalists, dissidents, and '
'anti-Chinese Communist Party activists)',
'post_incident_analysis': {'root_causes': 'Social engineering (impersonation '
'of Signal Support) exploiting user '
"trust in the platform's security"},
'recommendations': ['Enable registration lock on Signal accounts',
'Use strong PINs for Signal backups',
'Monitor device-change alerts',
'Enable disappearing messages to limit stored data',
'Never share recovery keys, PINs, or registration codes '
'with unverified sources',
"Treat unsolicited messages from 'Signal Support' as "
'malicious'],
'references': [{'source': 'Security researchers'}],
'response': {'communication_strategy': 'Signal reiterated that its official '
'support team will never initiate '
'contact within the app or request '
'recovery keys, PINs, or registration '
'codes.'},
'title': 'Signal Users Targeted in Phishing Campaign Exploiting Backup '
'Recovery Keys',
'type': 'Phishing',
'vulnerability_exploited': 'Social engineering (impersonation of Signal '
'Support)'}