HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Phishing Campaign Tricks Signal Users into Revealing Backup Recovery Keys, Endangering Journalists and Activists

Attackers are sending SMS messages that pose as Signal Support, asking victims to share their 64‑character backup recovery key. If disclosed, the key unlocks the entire encrypted message archive, exposing sensitive historical communications of journalists, activists, and other high‑risk users.

LiveThreat™ Intelligence · 📅 May 30, 2026· 📰 securityaffairs.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
securityaffairs.com

Phishing Campaign Tricks Signal Users into Revealing Backup Recovery Keys, Endangering Journalists and Activists

What Happened – Attackers are sending SMS messages that masquerade as Signal Support, urging recipients to paste their 64‑character backup recovery key into the chat. The key decrypts the entire encrypted backup stored on Signal’s servers, giving the attacker full access to historic conversations.

Why It Matters for TPRM

  • Compromise of backup keys can expose years‑long confidential communications of high‑risk personnel (journalists, activists, lawyers).
  • A successful breach can lead to credential reuse, credential stuffing, or further social‑engineering attacks against your organization’s partners.
  • The technique is low‑cost and easily reproducible, increasing the likelihood of broader targeting of your supply‑chain contacts.

Who Is Affected – Media & journalism firms, NGOs, human‑rights organizations, legal practices, and any third‑party that encourages staff to use Signal for secure communications.

Recommended Actions

  • Instruct all users that Signal will never request recovery keys via SMS or chat.
  • Disable or restrict the use of Signal’s Secure Backups feature for high‑risk personnel, or enforce hardware‑based key storage.
  • Conduct a phishing awareness refresher focused on SMS‑based social engineering.
  • Review third‑party communication policies and ensure backup keys are never shared externally.

Technical Notes – Attack vector: phishing via SMS (SMiShing). No CVE involved; the vulnerability is procedural – the recovery key is never meant to leave the device. Data at risk: encrypted message archives (text, media, attachments). Source: Security Affairs

📰 Original Source
https://securityaffairs.com/192899/security/signal-phishing-campaign-targets-journalists-and-activists-to-steal-backup-recovery-keys.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Security Awareness

Phishing and social engineering are a people-and-policy problem.

The Verisq AI Trust Operations platform pairs Security Awareness Training with policy adoption tracking, so human-risk controls are documented and audit-ready.

Explore the Verisq AI Trust Operations platform →