A concerning wave of phishing attacks is currently targeting users of the encrypted messaging platform Signal. Malicious actors are impersonating the app’s official support team, sending fraudulent messages that claim a user’s chat history and media are at risk of permanent loss due to synchronization errors. The attackers then instruct victims to provide their unique recovery key, which is essential for accessing and decrypting online backups, under the guise of preventing data loss.

Security experts have observed these messages circulating among various groups, including political activists and human rights defenders, though the scope of the campaign appears to be broadening. By masquerading as official support staff, the hackers aim to exploit the trust users place in the platform. This specific tactic is particularly dangerous because it targets the recovery keys used for Secure Backups, a feature that allows users to store encrypted copies of their chat history on Signal’s servers.

It is critical for users to understand that Signal will never initiate contact to request registration codes, PINs, or recovery keys. Any communication claiming to be from ‘Signal Support’ that asks for such sensitive information is a malicious attempt to compromise the user’s account. Because Signal’s architecture ensures that recovery keys remain on the user’s device and are never shared with the company, any request for this key is a clear indicator of a security threat.

While previous hacking attempts against the platform often focused on hijacking phone numbers to take over accounts, those methods typically did not grant access to historical messages. By successfully phishing for a recovery key, attackers could potentially decrypt and access a victim’s older conversations, photos, and documents stored in their backup archive. Users are strongly advised to keep their recovery keys in a secure, offline location, such as a password manager or a physical notebook, and to ignore any unsolicited requests for this information.