Phishing campaign targets Signal users' backup recovery keys

A new hacking campaign is targeting Signal messaging app users by tricking them into revealing their secret recovery keys. These keys provide access to online message backups, potentially exposing years of private conversations. Security experts are warning users to be vigilant about suspicious links and requests.

A sophisticated phishing campaign is currently targeting users of the Signal encrypted messaging app, attempting to steal secret recovery keys that grant full access to users' message backups stored online.

The attack works by deceiving Signal users into voluntarily handing over their recovery key — a unique string of characters that serves as the master credential for accessing Signal's encrypted cloud backups. Anyone who obtains this key can download and read a user's entire message history.

How the attack works

The campaign uses classic social engineering tactics, with attackers crafting convincing fake messages or websites that impersonate Signal's official communications. Victims are urged to enter their recovery key under the pretense of verifying their account or restoring their data.

Unlike password-based attacks, this method is particularly dangerous because Signal's recovery key is designed to be entered only once — during account setup or device migration. Users may not immediately recognize that entering it in response to an unsolicited request is dangerous.

What users should do

Security professionals advise Signal users to never share or enter their recovery key in response to any message, email, or website prompt they did not personally initiate. The recovery key should only be used when setting up Signal on a new device through the app's own official settings menu. Users who believe they may have already compromised their key are advised to immediately generate a new one within the Signal app to invalidate the old credentials.