Hackers are running a campaign to steal Signal users’ chat backups by impersonating Signal’s support team and requesting recovery keys, reporter Lorenzo Franceschi-Bicchierai documented on Wednesday, May 28. YourNewsClub covers this as a structurally novel attack because it targets a component of Signal’s architecture – the Secure Backup system – that the app only introduced last year, and because the attack’s goal is access to historical messages, not just account takeover.
The attack arrives as a message from an account called “Signal Support,” warning the target that their backed-up chats and media are “at risk of permanent loss due to a sync issue.” To protect their data, the message says, the user needs to share their recovery key with the support team. The message mimics the language of a routine security notification. It relies on a simple misunderstanding: that Signal has a support team that can communicate with users directly and that recovery keys should be shared for account verification.
Signal says explicitly that it will never reach out to users first, and will never ask for registration codes, PINs, or recovery keys. Any message purporting to come from “Signal Support” is, by that definition, malicious. YourNewsClub flags the attack’s effectiveness as depending entirely on users not knowing that rule – which is a reasonable assumption, since most apps do have support functions that can contact users, and Signal’s particular design principle is unusual enough that many of its users may not know it.
Mohammed Al-Maskati, director at Access Now’s Digital Security Helpline – which investigates cyberattacks against journalists, dissidents, and human rights activists – told Franceschi-Bicchierai that two people shared similar messages with him, and that neither was a Chinese activist. That matters for scope assessment: the initial reports cited anti-Chinese Communist Party activists as targets, but the Access Now reports suggest either a broader campaign by the same actor or multiple actors independently using the same technique.
The recovery key is the specific technical object under attack. Signal launched Secure Backups as an opt-in feature last year, allowing users to upload encrypted account contents – messages, photos, documents – to Signal’s servers. The backup is encrypted with a recovery key that Signal says “never leaves” the user’s device and is never shared with Signal’s servers. That design means only the user, with their physical device and the recovery key, can decrypt and restore their backup. If an attacker obtains the recovery key and separately takes over the account – for example, by hijacking the phone number – they can potentially access historical messages that would otherwise remain encrypted. YourNewsClub notes that this attack chain requires two steps, not one, which limits its scale but not its precision: a targeted attacker with the recovery key is in a strong position to reconstruct an activist’s or journalist’s message history.
Signal’s own published guidance warned against exactly this attack type last month. That the campaign is active despite the public warning confirms something basic about phishing: the warning must reach every potential target before the phishing message does, and the phishing message needs to reach only one person to succeed. Translation: public advisories help but do not stop targeted campaigns against specific individuals in high-risk communities.
Previous Signal account-takeover campaigns relied on hijacking a victim’s phone number or using the platform’s “Linked Devices” feature to attach an attacker’s device to the victim’s account. Those attacks give the attacker forward access to new messages but not to old ones, because historical messages do not transfer to a newly registered device. The backup-targeting attack closes that gap. YourNewsClub counts this as a meaningful technical escalation in the Signal attack landscape, moving the threat from account access to message history access.
Three things to watch: whether Signal updates the Secure Backup interface to include more prominent warnings about recovery key requests; whether Access Now’s Digital Security Helpline documents additional targets that confirm the campaign’s scope; and whether any intelligence attribution connects the campaign to a specific state-sponsored or criminal operator. The security desk at Your News Club puts both high-risk individuals using Signal and ordinary users who recently enabled Secure Backups on the watchlist for this attack type.