Russian hackers phish for Signal backup keys, FBI warns
A new twist in a long-running phishing campaign shows Russian-linked actors have shifted from stealing Signal login codes to grabbing users’ Backup Recovery Keys, giving them the power to decrypt and read years of stored messages.
The Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency issued the alert after observing the campaign evolve in recent months. Instead of harvesting the six-digit verification codes sent to phones, attackers now trick Signal users into surrendering their 30-digit Backup Recovery Keys—essentially the master password that unlocks every past conversation stored in encrypted backups.
A subtle but dangerous bait
The phishing messages mimic routine Signal notifications, asking users to “verify their account” or “recover access.” When recipients click, they land on pages that closely resemble Signal’s own web interface and are prompted to enter the 30-digit key. Because the interface looks legitimate, even security-aware users can be fooled.
Why the change matters
Backup Recovery Keys are designed to let users restore their Signal history on a new device after losing or upgrading their phone. Once stolen, attackers can decrypt local backups and read messages that were thought to be gone. This means the compromise isn’t limited to new messages—it can expose years of stored conversations.
Staying ahead of the threat
Signal itself has not changed its security model, but the campaign underscores the need for users to treat Backup Recovery Keys with the same caution they reserve for passwords. The FBI recommends storing the key offline, never sharing it in response to unsolicited requests, and enabling the app’s built-in registration lock to add another layer of defense.
Source: BleepingComputer. AI-assisted editorial synthesis — TechnoExpress.