Signal Phishing Attacks Target Chat Backups via Fake Support

Key Takeaways

• Hackers are sending fake Signal Support messages asking users to share their 30-digit backup recovery keys
• Signal will never contact users first or ask for PINs, verification codes, or recovery keys
• The attack exploits Signal's cloud backup feature introduced in late 2025

A new phishing campaign is targeting Signal users by impersonating the app's support team and asking for backup recovery keys. The attack exploits Signal's optional cloud backup feature, which launched in late 2025.

Washington Post analyst Josh Rogin posted a screenshot of the attack on Wednesday. The fake message warns users that their backed-up chats and media are "at risk of permanent loss due to a sync issue." It then asks them to share their recovery key with the sender.

The message comes from an account calling itself "Signal Support." It reads: "This links your existing backup to your account. Failure to do this may result in losing access to your account and all stored data."

Rogin said several anti-Chinese Communist Party activists received this message. But the attack appears broader. Mohammed Al-Maskati, director at Access Now's Digital Security Helpline, told TechCrunch that two other people shared similar messages with him. Neither were Chinese activists.

Why Recovery Keys Matter

Signal's recovery key is a 30-digit code that decrypts cloud-stored chat backups. If attackers get this key, they can access a user's entire encrypted message history. This includes older chats and photos that might contain sensitive information.

Al-Maskati noted that stealing the recovery key is only one step. Attackers still need to take over the victim's account to complete the attack. But the recovery key alone gives them access to historical data, which could be valuable for surveillance or blackmail.

How to Spot the Scam

Signal has a clear policy: it will never contact users first. The company will never ask for registration codes, PINs, or recovery keys through any channel.

“Signal Support will never contact you via in-app message to ask for a PIN, verification code, or recovery key. Any message claiming to be from us that asks for this is fraudulent.”

— Signal Spokesperson, Official Security Advisory

Any chat claiming to come from "Signal Support" is coming from hackers. The organization warned about this exact type of attack last month.

• Signal never sends in-app support messages
• Never share your recovery key, PIN, or verification code with anyone
• Report suspicious messages using Signal's built-in reporting feature
• If you've shared your recovery key, generate a new one immediately in Settings > Backups

The Backup Feature Trade-Off

Signal introduced cloud-based chat backups in late 2025. The feature helps users migrate their message history to new devices. But it also created a new attack vector.

On Reddit's r/privacy and Hacker News, users are debating this convenience-versus-security trade-off. Many power users want better in-app UI indicators to distinguish official system notifications from regular chats. This would help less technical users avoid these scams.

The backup feature is optional. Users who prioritize security over convenience can disable it entirely in Settings > Backups. This eliminates the attack vector but means losing chat history when switching devices.

Who's Behind the Attacks

It's unclear who is running this campaign. The targeting of anti-CCP activists suggests possible state-backed involvement. But non-Chinese activists receiving similar messages indicates either a broader campaign or multiple groups using the same tactic.

Signal's 40 million+ global active users make it an attractive target. The app's reputation for security means users may be more trusting of official-looking messages, which is exactly what the attackers exploit.

TechCrunch reports this is a new type of attack because it specifically targets backups. Previous impersonation campaigns focused on account takeovers through verification codes. Targeting backups lets attackers access historical data even if the victim later secures their account.

Frequently Asked Questions

Will Signal ever message me about account issues?

No. Signal will never contact you first via in-app message. Any message claiming to be from Signal Support asking for your PIN, verification code, or recovery key is a scam.

What should I do if I shared my recovery key with a scammer?

Go to Settings > Backups immediately and generate a new recovery key. This invalidates the old key. Also check your linked devices in Settings > Linked Devices and remove any you don't recognize.

Is Signal's cloud backup feature safe to use?

The feature is end-to-end encrypted and secure if you keep your recovery key private. The risk comes from social engineering attacks like this one, not from the backup system itself.

How do I report a phishing message on Signal?

Tap the sender's name at the top of the chat, scroll down, and tap 'Report.' This sends the message to Signal's trust and safety team.

Can I use Signal without enabling cloud backups?

Yes. Cloud backups are optional. You can disable them in Settings > Backups. Your messages will stay on your device only, which is more secure but means losing history if you switch phones.

Source: TechCrunch / Lorenzo Franceschi-Bicchierai