Signal Users Targeted in Sophisticated Backup Phishing Campaign

A new wave of phishing attacks is targeting Signal users by impersonating the platform's official support team. Hackers are sending fraudulent messages claiming that a user's chat backups are at risk of permanent loss due to synchronization errors. The attackers then coerce victims into providing their recovery keys, which are essential for accessing encrypted cloud backups. By masquerading as legitimate support personnel, these bad actors exploit the trust users place in the privacy-focused messaging app.

This campaign appears to be particularly focused on high-profile targets, including activists and dissidents, though reports suggest the scope may be broader. Unlike previous attacks that primarily aimed to hijack accounts to impersonate users, this strategy specifically seeks to compromise historical data. Because Signal’s standard account hijacking methods do not grant access to past conversations, obtaining a recovery key is a critical step for attackers looking to decrypt and steal sensitive photos, documents, and older chat logs.

This development highlights a significant shift in how threat actors are attempting to bypass Signal’s robust security architecture. While Signal provides features like Registration Lock to prevent unauthorized account linking, the human element remains a vulnerability. It is essential for users to remember that Signal will never initiate contact or request sensitive credentials such as PINs or recovery keys. To maintain security, users should remain vigilant against unsolicited messages and verify the authenticity of any support-related communications through official channels.