Phishing Campaign Tricks Signal Users into Revealing Backup Recovery Keys, Endangering Journalists and Activists
What Happened – Attackers are sending SMS messages that masquerade as Signal Support, urging recipients to paste their 64‑character backup recovery key into the chat. The key decrypts the entire encrypted backup stored on Signal’s servers, giving the attacker full access to historic conversations.
Why It Matters for TPRM –
- Compromise of backup keys can expose years‑long confidential communications of high‑risk personnel (journalists, activists, lawyers).
- A successful breach can lead to credential reuse, credential stuffing, or further social‑engineering attacks against your organization’s partners.
- The technique is low‑cost and easily reproducible, increasing the likelihood of broader targeting of your supply‑chain contacts.
Who Is Affected – Media & journalism firms, NGOs, human‑rights organizations, legal practices, and any third‑party that encourages staff to use Signal for secure communications.
Recommended Actions –
- Instruct all users that Signal will never request recovery keys via SMS or chat.
- Disable or restrict the use of Signal’s Secure Backups feature for high‑risk personnel, or enforce hardware‑based key storage.
- Conduct a phishing awareness refresher focused on SMS‑based social engineering.
- Review third‑party communication policies and ensure backup keys are never shared externally.
Technical Notes – Attack vector: phishing via SMS (SMiShing). No CVE involved; the vulnerability is procedural – the recovery key is never meant to leave the device. Data at risk: encrypted message archives (text, media, attachments). Source: Security Affairs