FBI warns Russian hackers now steal Signal backup recovery keys to hijack accounts
The FBI and CISA have updated an earlier warning about Russian intelligence targeting Signal accounts, noting the operators have added a step: tricking targets into handing over their Signal backup recovery key. With that key, an attacker can restore the account's backup, read its private and group message history, and take over the account, and the key keeps working afterward. The campaign uses social engineering against high-value targets such as government officials, military personnel, and journalists. It reflects a broader shift toward stealing the recovery and session secrets that sit behind multi-factor authentication rather than attacking the login directly.
- Check
- High-risk users should review who could have prompted them to share a Signal backup or recovery key, and check Signal for unexpected linked devices or signs their account history was restored elsewhere.
- Affected
- Signal users targeted by Russian intelligence, especially officials, military personnel, journalists, and activists; a stolen backup recovery key exposes full message history and grants lasting account takeover.
- Fix
- Never share your Signal backup or recovery key, store it offline, regenerate it if you suspect exposure, verify linked devices, and distrust anyone guiding you through backup steps.