
The Intercept has warned that its official Signal tipline username was compromised and used by an impersonator to pose as the investigative news outlet, potentially exposing confidential sources who attempted to submit sensitive information.
Dr. Martin Shelton, of the Freedom of the Press Foundation (FPF), analyzed the incident and outlined several scenarios that could have allowed the Signal username to fall into another party's hands, while providing guidance for journalists and organizations that rely on Signal for secure communications.
Drop Site News reported that an individual had been impersonating The Intercept by controlling the Signal username previously listed on the publication's public tip page. The fraudulent account reportedly began soliciting tips from potential sources as early as February 2026 and actively promoted the compromised username across social media.
The Intercept is a nonprofit investigative news organization known for publishing reporting on national security, government surveillance, corporate misconduct, and other public-interest investigations. Like many investigative outlets, it relies heavily on encrypted communication platforms such as Signal to allow whistleblowers and confidential sources to submit sensitive information securely.
According to Drop Site News, the impersonating account responded to lawmakers and federal officials approximately 100 times between April and May while advertising the compromised Signal username as a contact method. During much of that period, the same username reportedly remained listed on The Intercept's official tip page, increasing the likelihood that prospective sources would unknowingly contact the impersonator rather than the newsroom.
On June 30, The Intercept publicly acknowledged the issue by posting updated contact information on X. The publication instructed users not to use the previous Signal username, TheIntercept.01, and instead to contact reporters directly or use the replacement Signal account, Theintercept_tips.01. The outlet did not disclose how the original username was compromised or provide specific guidance for individuals who may have previously communicated with the fraudulent account.
Shelton noted that while the exact cause of the incident remains unknown, there are only a handful of plausible explanations. Signal accounts that remain inactive for extended periods may eventually be deactivated, making associated usernames available for registration again. Similarly, changing a Signal username can make the previous one available to others after a short period. Another, less common possibility is a SIM-swapping attack, in which attackers hijack a victim's phone number to recover control of a Signal account.
The report cites Signal's source code as indicating that inactive accounts may be automatically deactivated after approximately 120 days, potentially releasing their usernames for reuse. If an organization has widely publicized a Signal username on websites, social media profiles, presentations, or printed materials, losing control of that identifier can enable convincing impersonation attacks that are difficult for potential sources to detect.
The Freedom of the Press Foundation recommends several measures to reduce the risk of similar incidents. Organizations should keep Signal accounts active to avoid automatic deactivation, avoid changing publicly advertised usernames unless absolutely necessary, secure mobile accounts with carrier PINs to help prevent SIM-swapping attacks, and enable Signal's Registration Lock and PIN protection to prevent unauthorized account recovery.







Leave a Reply