HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Phishing Campaign Hijacks Signal Backup Recovery Keys, Threatening Encrypted Message Archives

A phishing campaign is sending SMS messages that appear to be from Signal Support, urging users to share their 64‑character backup recovery key. If the key is disclosed, attackers can download and decrypt the victim’s entire message history, exposing confidential communications. Organizations that rely on Signal for secure messaging must reassess user‑education and account‑protection controls.

LiveThreat™ Intelligence · 📅 May 29, 2026· 📰 malwarebytes.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
malwarebytes.com

Phishing Campaign Hijacks Signal Backup Recovery Keys, Threatening Encrypted Message Archives

What Happened – A new SMS‑based phishing campaign pretends to be “Signal Support” and asks recipients to copy and paste their 64‑character backup recovery key into the chat. The key unlocks the user’s encrypted backup stored on Signal’s servers, giving an attacker full access to historic messages and media.

Why It Matters for TPRM

  • Compromise of recovery keys can expose confidential communications of employees, clients, and partners.
  • The tactic demonstrates how a seemingly benign messaging platform can become a vector for data leakage in supply‑chain and third‑party contexts.
  • Early detection relies on user education and verification controls that many organizations overlook.

Who Is Affected – Messaging app providers (Signal), journalists, human‑rights activists, NGOs, and any enterprise that uses Signal for secure internal or external communications.

Recommended Actions

  • Conduct user awareness training on phishing, emphasizing that Signal will never request recovery keys via chat.
  • Enforce registration lock, PIN, and device‑change alerts for all Signal accounts used in the organization.
  • Add monitoring for anomalous backup key requests in security information and event management (SIEM) tools.
  • Update third‑party risk assessments to include messaging app security controls.

Technical Notes – Attack vector: SMS phishing (social engineering). No CVE involved. The exploited feature is Signal’s “Secure Backups” which stores encrypted archives protected by a user‑generated recovery key that must never leave the device. If stolen, attackers can download and decrypt the entire backup, achieving full historical data exposure. Source: Malwarebytes Labs

📰 Original Source
https://www.malwarebytes.com/blog/news/2026/05/signal-users-targeted-in-backup-stealing-phishing-attacks

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →