Signal users are being targeted in a new phishing campaign that attempts to steal recovery keys used to access the platform's encrypted cloud backups.
Attackers who obtain these keys could gain access to entire message archives, including older conversations, photos, and documents.
The attacks are being carried out through fraudulent messages impersonating Signal Support. Victims receive a warning claiming their account data is at risk due to a synchronization problem and are instructed to retrieve their backup recovery key from the Signal app and paste it into a chat conversation. The message falsely claims that sharing the key is necessary to prevent permanent data loss.
@joshrogin | X
Journalists, activists, and human rights activists have also reported getting the phishing messages.
The phishing texts create a sense of urgency by repeatedly threatening data loss and ask users to share highly sensitive credentials. Signal has repeatedly stated that it will never proactively contact users and will never request registration codes, PINs, passwords, or backup recovery keys through chat messages.
The campaign targets Signal's Secure Backups feature, which was recently introduced to provide users with an end-to-end encrypted method of storing message archives in the cloud. The feature relies on a unique 64-character recovery key generated locally on the user's device. Signal does not possess this key, and it is never transmitted to Signal's servers. The backup architecture was designed around a zero-knowledge model, ensuring that only users with the recovery key can decrypt stored archives.
Because of that design, the recovery key effectively serves as the sole means of accessing encrypted backup data. If an attacker obtains the key and later succeeds in taking control of the victim's Signal account or registering it on another device, they may be able to download and decrypt the backup archive.
Previous attacks commonly sought registration codes or attempted to hijack phone numbers to re-register accounts on attacker-controlled devices. While those attacks could allow threat actors to intercept future communications, they generally did not provide access to a victim's past message history due to Signal's security architecture.
Although current reports indicate relatively targeted activity, the technique is straightforward and could quickly spread among cybercriminal groups if proven successful.
Users can reduce their risk by following several security best practices:
- Never share a Signal recovery key, registration code, or PIN with anyone.
- Treat unsolicited messages claiming to be from “Signal Support” as suspicious.
- Verify account warnings directly within the Signal application rather than through links or instructions received in messages.
- Enable Registration Lock and other account-protection features offered by Signal.
- Store recovery keys and PINs securely in a password manager or offline location.
- Consider using disappearing messages to reduce the amount of historical data available if an account is compromised.
Leave a Reply