FBI cautions on Russian phishing targeting Signal backups

Russian intelligence operatives have stepped up phishing campaigns against Signal users, moving beyond account credentials to target the app’s Backup Recovery Key. According to the FBI and CISA, once attackers obtain the key they can restore a user’s Signal backup, read past private and group messages, and maintain persistent control over the account without the user’s knowledge.

The agencies updated an earlier advisory first issued in March, highlighting a shift in tactics. Instead of merely stealing login details, the threat actors now trick targets into surrendering the 30-digit Backup Recovery Key—often presented as a one-time verification step during a bogus support interaction. Because the key remains valid indefinitely, compromised accounts can be repeatedly accessed and monitored long after the initial theft.

A subtle but critical change

Security experts note that this evolution reflects a broader trend among state-backed groups: moving from quick credential theft to acquiring long-term access mechanisms. Signal’s backup system, designed to help users recover conversations on new devices, becomes a powerful weapon in the wrong hands. The FBI emphasizes that even users who believe they have secured their accounts remain vulnerable if their recovery key is exposed.

Steps users can take

The FBI recommends enabling Signal’s registration lock, which requires a PIN before a new device can link to an account. Users should also avoid entering their Backup Recovery Key outside the official app and verify any unsolicited support requests through official channels. Regularly checking linked devices in Signal’s settings can help spot unauthorized access early. While the risk is real, simple precautions can sharply reduce the chances of falling victim.

---

Source: The Hacker News. AI-assisted editorial synthesis — TechnoExpress.