Signal has long been the messaging app of choice for anyone who takes privacy seriously, from journalists to activists to security-conscious normals. That reputation is exactly why it’s a target — and the FBI and CISA have just flagged a worrying evolution in how state-backed attackers are trying to crack it open.
In a joint advisory published Thursday, the two agencies warned that hackers tied to Russian intelligence services are now going after Signal users’ Backup Recovery Keys. This is an escalation of a phishing campaign that, according to the agencies, has already compromised thousands of accounts around the world.
Here’s why this particular trick is nasty. Most account-theft schemes fall apart the moment you wipe your device or switch phones. Not this one. According to the advisory, once an attacker tricks a victim into handing over their Backup Recovery Key just once, they gain the ability to restore that account’s backup and read its message history — and crucially, that access persists.
The most counterintuitive part is what doesn’t fix it. Setting up a fresh Signal account using the same phone number does not invalidate a stolen recovery key. In other words, the usual instinct — “I’ll just start over on a new phone” — offers no protection here. The key remains valid, and so does the attacker’s window into your historical conversations.
This builds on earlier phishing activity the agencies have tracked. The mechanics are social, not cryptographic: Signal’s end-to-end encryption isn’t being broken. Instead, attackers are manipulating users into voluntarily surrendering the very piece of information that unlocks their backups. It’s the digital equivalent of a burglar talking you into handing over a spare key rather than picking the lock.
What you can do about it:
- Never share your Backup Recovery Key. No legitimate request will ever ask you to type it out, paste it, or read it aloud — treat any such prompt as hostile.
- Be sceptical of phishing. The campaign relies on convincing messages, links and prompts. Slow down before acting on anything that asks you to confirm, restore or re-link an account.
- Generate a new recovery key if you suspect exposure. Since a fresh account on the same number won’t undo a compromise, the key itself is what needs to change.
The broader lesson is a familiar one for anyone who follows security: the weakest link is rarely the encryption. It’s the human being on the other end of a cleverly worded message. Signal’s protocol remains as strong as ever, but a single moment of misplaced trust can hand an attacker the keys — literally — to everything you’ve sent.