According to an exclusive report by TechCrunch on May 28, a group of hackers is impersonating the official customer support account “Signal Support” on the Signal platform, sending fake warnings to users claiming that their chat backups are “at risk of permanent loss due to a sync issue,” tricking them into providing the recovery key used to decrypt cloud backups during the conversation. Washington Post analyst Josh Rogin was the first to share screenshots of the attack on X, noting that several anti-Chinese Communist Party activists received such messages. Mohammed Al-Maskati, director of the digital security hotline at Access Now, told TechCrunch that two other users from different backgrounds also received similar messages, indicating that the targets of the attack may be broader, or that multiple hacker groups are using the same method. This attack specifically targets the “Secure Backups” feature launched by Signal last year — which uploads encrypted account content to Signal’s servers, with the recovery key required for decryption stored on the user’s local device and inaccessible to Signal’s servers. Once the recovery key falls into the hands of the attacker, they can decrypt and read the user’s historical messages, photos, and files.
Previous attacks against Signal typically aimed to take over accounts, with hijacked accounts becoming unusable due to re-registration. This targeted theft of backup keys represents a new type of attack vector and is more harmful. Signal has made it clear that it “will never proactively contact users” nor ask for registration codes, PINs, or recovery keys, and had already issued a public warning about this type of phishing attack on Bluesky last month. User protection recommendations: enable Registration Lock, store the recovery key offline in a password manager or physical notebook, and remain highly vigilant against any unsolicited messages claiming to be from “Signal Support.”