Hackers target Signal users to steal chat backups via phishing
The Story
A single-source report from TechCrunch details a hacking campaign where attackers impersonate Signal’s support team to trick users into handing over their backup recovery keys. The phishers warn targets that their backed-up chats and media are at risk of permanent loss due to a sync issue, then ask for the key. The campaign has been observed among several anti-Chinese Communist Party activists, but other communities may also be targeted.
Key Facts
- TechCrunch reports that hackers are pretending to be Signal Support and telling targets their backups are “at risk of permanent loss due to a sync issue.”
- The phishing message says: “This links your existing backup to your account. Failure to do this may result in losing access to your account and all stored data.”
- Washington Post analyst Josh Rogin said several anti-Chinese Communist Party activists received the message.
- Mohammed Al-Maskati, director at Access Now’s Digital Security Helpline, told TechCrunch that two people shared similar messages but are not Chinese activists, suggesting the campaign may be more widespread or involve multiple hacker groups.
- The effectiveness of the campaign is unclear; stealing the recovery key is one step, and hackers still need to take over the victim’s account.
- Signal states that it “will never reach out” to users first and will never ask for their registration code, PIN, or recovery key.
- Signal publicly warned about this exact type of attack last month.
- Previous hacking campaigns attempted to hijack accounts but did not gain access to past messages.
- Signal launched Secure Backups last year, an opt-in feature that encrypts backups with a recovery key “never shared with Signal’s servers.”
- Signal did not respond to a request for comment.
Conflicting Reports
No conflicting reports identified in the source article.
Still Unclear
How effective the phishing campaign has been; whether different hacker groups are using the same strategy.
Misconceptions
The article clarifies that Signal does not contact users first or request their registration code, PIN, or recovery key, contrary to the phishing message.
Key Figures
- Josh Rogin, Washington Post analyst
- Mohammed Al-Maskati, director at Access Now’s Digital Security Helpline
Sources: TechCrunch
