Signal, the encrypted messaging app trusted by security-savvy users around the world, has confirmed that hackers are able to take over accounts – with government officials and journalists among the targets.
The warning came earlier this week, when Signal tweeted to Bluesky that an attack had taken place, while insisting that its encryption and central infrastructure remained intact and irreversible.
The problem is not with Signal itself, but with its users being tricked into handing over their account keys.
On the same day, the Dutch General Intelligence and Security Service (AIVD) and the Defense Intelligence and Security Service (MIVD) published joint advisories blaming the attacks on Signal and WhatsApp users on Russian-backed hackers.
According to Dutch intelligence agencies, the operation is “large and global,” and the victims are confirmed to include Dutch government employees. Journalists are also understood to have been targeted.
The attack highlights that even the strongest encryption cannot protect you if you are tricked into taking control of your account by a malicious hacker.
Rather than trying to break the cryptography that protects messages sent via Signal or WhatsApp, attackers simply trick users into providing their verification codes or unwittingly connect a second device to their account – silently giving attackers access to private conversations.
The hacking campaign uses two main strategies, neither of which need to be exploited for any vulnerability in Signal or WhatsApp. Instead, attackers rely on the tried and trusted trick of social engineering.
As Signal explained in its post, intended victims receive an in-app message claiming to be from a “Signal Security Support Chatbot”, or a similarly legitimate-sounding account.
The message says that suspicious activity has been detected, and the victim is instructed to complete a “verification process” by entering an SMS verification code and Signal PIN.
Indeed, once the credentials are provided, attackers can register a victim’s account on a device under their control – gaining access to incoming messages and group chats.
Another attack method exploits the “connected devices” feature used by Signal and WhatsApp. A hacker can send a target a QR code or a link that appears to be a group chat invitation or general security information. The fact is that scanning the QR code connects the attacker’s device to the victim’s account, allowing their conversations to be secretly monitored.
According to Signal, it is working to add more alerts within its app to warn users of the potential dangers of responding to a phishing message.
According to the company, it says it will never contact users via in-app messaging, SMS, or social media to ask for verification credentials. And if someone contacts you saying “Signal Security Support Chat” – well, you’re an attacker.
You can review which devices are connected to your Signal and WhatsApp account by going to them Settings > Connected Devicesand remove anything you don’t know.
And remember – no amount of encryption can save you from public discovery.
