The FBI and CISA have updated an earlier warning about Russian intelligence targeting Signal accounts, noting the operators have added a step: tricking targets into handing over their Signal backup recovery key. With that key, an attacker can restore the account's backup, read its private and group message history, and take over the account, and the key keeps working afterward. The campaign uses social engineering against high-value targets such as government officials, military personnel, and journalists. It reflects a broader shift toward stealing the recovery and session secrets that sit behind multi-factor authentication rather than attacking the login directly.
Security researchers are warning of a phishing campaign that impersonates Signal Support over text message to steal users' backup recovery keys, specifically targeting journalists and activists. Once an attacker obtains the recovery key, they can decrypt the victim's entire message-history backup. The campaign relies purely on social engineering - there is no flaw in Signal's cryptography - tricking targets into handing over the secret that protects their encrypted backups. The targeting of journalists and activists points to surveillance-motivated actors rather than financially-driven crime. Signal users should treat any unsolicited 'Support' contact requesting recovery keys or codes as hostile, since Signal never asks for them.
Der Spiegel reported on April 25 that German government sources now blame Russia for a large-scale Signal phishing campaign that compromised the account of Bundestag President Julia Klöckner. At least 300 Signal accounts of German political figures were targeted; investigators say attackers accessed chat histories, files, and phone numbers. Chancellor Friedrich Merz was in the same CDU group chat as Klöckner but his device showed no signs of compromise. The attack used pure social engineering - operators posed as Signal support and asked victims to share verification codes or PINs.
Apple released out-of-band iOS and iPadOS updates to fix a Notification Services flaw that kept notifications marked for deletion sitting in internal storage, where they could be pulled off the device later. The bug (CVE-2026-28950) landed after 404 Media reported that the FBI recovered Signal messages from a suspect's iPhone even after the user deleted them and even after Signal itself was uninstalled. The recovered text did not come from Signal's encrypted message store - it came from iPhone's internal notification buffer, which silently preserved incoming notification contents that the app and the OS both thought had been erased. Apple's advisory does not name the FBI case but describes exactly the data-persistence behavior 404 Media documented. Signal's team publicly thanked Apple for the fix. Beyond Signal users, this flaw matters for anyone who assumed that deleting a message or uninstalling an app wiped the underlying notification data from the phone - it did not. Forensic extraction of an unlocked iPhone could have surfaced any sensitive content ever pushed as a notification.