Phishing Campaign Hijacks Signal Backup Recovery Keys, Threatening Encrypted Message Archives
What Happened – A new SMS‑based phishing campaign pretends to be “Signal Support” and asks recipients to copy and paste their 64‑character backup recovery key into the chat. The key unlocks the user’s encrypted backup stored on Signal’s servers, giving an attacker full access to historic messages and media.
Why It Matters for TPRM –
- Compromise of recovery keys can expose confidential communications of employees, clients, and partners.
- The tactic demonstrates how a seemingly benign messaging platform can become a vector for data leakage in supply‑chain and third‑party contexts.
- Early detection relies on user education and verification controls that many organizations overlook.
Who Is Affected – Messaging app providers (Signal), journalists, human‑rights activists, NGOs, and any enterprise that uses Signal for secure internal or external communications.
Recommended Actions –
- Conduct user awareness training on phishing, emphasizing that Signal will never request recovery keys via chat.
- Enforce registration lock, PIN, and device‑change alerts for all Signal accounts used in the organization.
- Add monitoring for anomalous backup key requests in security information and event management (SIEM) tools.
- Update third‑party risk assessments to include messaging app security controls.
Technical Notes – Attack vector: SMS phishing (social engineering). No CVE involved. The exploited feature is Signal’s “Secure Backups” which stores encrypted archives protected by a user‑generated recovery key that must never leave the device. If stolen, attackers can download and decrypt the entire backup, achieving full historical data exposure. Source: Malwarebytes Labs