The message arrives with a sense of manufactured urgency. It claims your chat history is at risk of permanent loss due to a mysterious sync error. To fix it, the sender insists you must provide your recovery key immediately.
It is a lie.
This is the latest tactic in a sophisticated phishing campaign targeting Signal users. Hackers are impersonating the app’s official support team to harvest the recovery keys required to unlock encrypted cloud backups. By gaining access to these keys, attackers can potentially decrypt years of private conversations, photos, and documents that would otherwise remain shielded by Signal’s end-to-end encryption.
The Anatomy of the Scam
The campaign relies on a simple, high-stakes deception. The attackers create accounts labeled "Signal Support" and initiate chats with unsuspecting users. The script is consistent: warn the user of a technical failure, then demand the recovery key to "link" the backup to the account.
It is a classic social engineering trap. The hackers are exploiting the trust users place in the Signal brand.
Washington Post analyst Josh Rogin recently highlighted the threat after receiving the message himself. Reports indicate the campaign is not limited to a single demographic. While anti-CCP activists have been identified as targets, security researchers at Access Now have confirmed that the phishing attempts are reaching a broader range of users, including journalists and dissidents. The scope suggests a coordinated effort to compromise high-value targets across multiple sectors.
Why Backups Are the New Frontier
Signal’s architecture has long been a fortress. Because the app does not store message history on its servers, traditional account hijacking—such as re-registering a phone number on a new device—typically leaves the attacker with a blank slate. They get the account, but they do not get the history.
That changes with Secure Backups.
Launched last year, this opt-in feature allows users to store an encrypted archive of their data on Signal’s servers. The archive is protected by a unique recovery key that, by design, never leaves the user’s device. If an attacker gains that key, they can download the encrypted backup and decrypt it offline. It is the missing piece of the puzzle for hackers who want more than just an account takeover; they want the archive.
How to Stay Protected
Signal is explicit about its security protocols: the organization will never initiate contact with a user. They will never ask for a PIN, a registration code, or a recovery key. If you receive a message claiming to be from "Signal Support," block the sender immediately.
Security experts recommend treating your recovery key like a physical vault key. Store it in a password manager or write it down in a secure, offline location. Never type it into a chat window, regardless of who is asking.
Key Takeaways
- Signal will never reach out to you first; any "support" message is a malicious attempt to steal your data.
- The phishing campaign specifically targets the recovery key, which is the only way to decrypt your cloud-stored chat backups.
- If you receive a request for your recovery key, block the account and report it through the app’s official channels.
The attackers are betting on human error. They are counting on the fear of data loss to override basic security instincts. As long as users remain vigilant, the scheme fails. The next move belongs to the users—and the best move is to ignore the message entirely.
