What's Happening
A new wave of cyberattacks is targeting Signal users, with hackers attempting to trick them into handing over their account recovery keys — the master credential that unlocks access to your full message history stored in online backups.
Security researchers first flagged the campaign in late May 2026. The attacks are spreading through convincing phishing pages that impersonate Signal's official interface, prompting users to "verify" or "restore" their account by entering their 30-digit passphrase.
Why the Recovery Key Is So Valuable
Signal's security model is built around end-to-end encryption, meaning your messages can't be read in transit. But when you enable Signal's backup feature, your chat history is encrypted and stored in the cloud — protected by a recovery key that only you hold.
If attackers get that key, they can download and decrypt your backup, gaining access to potentially years of private conversations.
"The recovery passphrase is essentially the skeleton key to your entire Signal history," one security analyst explained. "Signal itself can't help you if someone else has it — that's by design."
How the Phishing Attack Works
Victims typically receive a message — sometimes through Signal itself, sometimes via SMS or email — claiming their account needs to be re-linked or that suspicious activity has been detected. The link leads to a near-perfect replica of Signal's official site or setup wizard.
From there, users are walked through what looks like a standard account recovery flow and prompted to enter their passphrase. Once submitted, it goes straight to the attackers.
The sophistication of these pages is what makes this campaign particularly dangerous. Unlike older phishing attempts with obvious spelling errors or broken layouts, these sites are polished and specifically designed to fool technically aware users.
What You Should Do
Signal has issued guidance reminding users that the app will never ask for your recovery passphrase through a web browser, an email, or a chat message. The passphrase is only used inside the official Signal app on your device during the backup setup process.
Here are the key steps to protect yourself:
- Never enter your recovery key anywhere except the official Signal app. If a website or message is asking for it, it's a scam.
- Check your backup settings. If you haven't reviewed them recently, open Signal → Settings → Account → Signal Backups.
- Rotate your passphrase if you believe it may have been compromised. You can generate a new one in the app's backup settings.
- Verify links carefully. Signal's real domain is signal.org — any variation is suspicious.
- Enable a registration lock PIN in Signal's privacy settings for an added layer of protection against account takeovers.
The Bigger Picture
This campaign is part of a growing trend of attackers targeting encrypted messaging apps specifically because their users tend to store sensitive conversations there. Signal's reputation for security can sometimes create a false sense of invincibility — but no encryption system protects against users being deceived into handing over their own keys.
If you use Signal for sensitive communications — whether personal, professional, or journalistic — now is a good time to review your backup settings and make sure your recovery passphrase is stored safely offline, not in a screenshot or notes app.
Source: TechCrunch. For the latest cybersecurity advisories, visit signal.org/blog.
