Signal Users Targeted in Phishing Campaign Aimed at Stealing Backup Recovery Keys
A targeted phishing campaign is tricking Signal users into handing over their 64-character backup recovery keys, allowing attackers to decrypt entire message histories.
A new phishing campaign is targeting Signal users by attempting to steal their backup recovery keys to access encrypted message archives. The attack is initiated by a text message pretending to come from Signal Support. The message warns of a "sync issue" and instructs victims to navigate to Settings → Backups → Configure → Enable backups → View Recovery Key, then paste the 64-character key into the chat. Several red flags are present: the sender is labeled "Name not verified," the message repeatedly threatens data loss, and it asks the user to paste the key directly into the chat. Signal Support would never ask for a recovery key.
The attack exploits Signal's Secure Backups feature, which allows users to store encrypted archives of their conversations on Signal's servers. These backups are protected by a 64-character recovery key that should never leave the user's device and is never shared with Signal's servers. If hackers obtain this key and gain control of a victim's account, they can download and decrypt the entire message history. For an attacker, this is even better than hijacking an account, which would only give them access to future messages.
For now, the attacks appear to be targeted. Reports have come in from journalists, Chinese activists, and a researcher who investigates cyberattacks against journalists, dissidents, and human rights activists. However, now that other cybercriminals are aware of this opportunity, the tactic could spread rapidly. The campaign highlights the growing sophistication of social engineering attacks aimed at encrypted communication platforms.
Signal explicitly states that it will never reach out to users first and will never request registration codes, PINs, or recovery keys. Users should treat unsolicited messages from "Support" as suspicious by default. Legitimate support for apps like Signal and WhatsApp does not ask users, in a chat message, to send back verification codes, PINs, or passwords. If you receive a warning about account problems, do not follow links in the message; open the app's settings directly or visit the official website through other means.
To protect against such attacks, users should never share any secret codes, multi-factor authentication keys, or app PINs. SMS codes are there to prove that you control a phone number; anyone who has the code can pretend to be you. App-specific PINs or passcodes are there to protect account changes. Consider anyone asking for them to be a scammer. Use the extra security features these apps offer, such as registration lock, registration PIN, and device-change alerts, so that your account cannot be silently re-registered without an extra secret. Store your PIN in a password manager instead of choosing something easy to guess or reusing a code.
Another useful feature is disappearing messages. Short-timer and disappearing messages reduce how much content is available if an attacker gains access to a chat later, or obtains long-term access to a device or backup. They are not a complete solution, but they can limit the damage. Malwarebytes Scam Guard identified this message as a phishing attempt and provides further information about how to proceed.
This campaign underscores the importance of user awareness in the face of targeted phishing attacks. As encrypted messaging apps become more popular, threat actors are increasingly focusing on social engineering to bypass their security features. Users must remain vigilant and follow best practices to protect their sensitive communications.