Signal says recent reports describing attacks against its users do not reflect a breach of its platform, while also announcing plans to introduce new protections aimed at stopping similar phishing campaigns in the future.
The clarification follows a joint advisory issued earlier this year by Germany’s Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI), which warned of targeted Signal account attacks against politicians, journalists, and other high-profile individuals across Europe.
Signal wasn’t hacked
In a statement published yesterday, Signal pushed back on claims that its service had been compromised, stressing that neither its end-to-end encryption, infrastructure, nor application code had been breached.
Instead, the company confirmed that attackers carried out a coordinated phishing campaign by impersonating official Signal support accounts. Threat actors reportedly changed their display names to appear legitimate and used social engineering tactics to trick victims into sharing their registration codes and Signal PINs.
Once those credentials were obtained, attackers registered the accounts on devices under their control, often reassigning the associated phone number. This action automatically deregistered the victim’s device, effectively locking them out. To reduce suspicion, victims were reportedly told in advance that this behavior was expected and that they would simply need to “re-register,” leading many to unknowingly create new accounts while their original ones remained hijacked.
Compromised accounts were then used to target contacts in the victims’ networks, allowing attackers to spread the phishing campaign further by impersonating trusted individuals.
Signal noted that its visibility into these incidents is limited due to its privacy-focused architecture, which does not collect user data or message content, meaning much of its understanding comes from reports provided by affected users.
New protections are coming
Signal announced that it is preparing to roll out a series of updates in the coming weeks designed to make phishing and account takeover attempts more difficult. While the company did not disclose specific technical details, the changes are intended to better protect users from social engineering attacks that exploit trust rather than software flaws.
The move signals a shift toward strengthening account security and user-facing safeguards, particularly as Signal continues to grow and attract more high-value targets. The company acknowledged that such phishing campaigns are a common threat for large messaging platforms but emphasized the heightened risks given the sensitive nature of many users’ communications.
In the meantime, Signal users should remain vigilant and follow basic security practices to reduce the risk of compromise:
- Never share your Signal verification code or PIN with anyone
- Treat unsolicited messages claiming to be from Signal support as suspicious
- Enable the “Registration Lock” feature to prevent unauthorized account re-registration
- Only link new devices intentionally and avoid scanning unknown QR codes
- Watch for unexpected account changes, such as sudden deregistration
Leave a Reply