Signal is end-to-end encrypted, but that doesn’t matter if you hand over your keys. An active phishing campaign is targeting Signal users by impersonating the platform’s support desk to steal backup recovery keys.
Attackers threaten victims with permanent data loss from a fake “sync error,” pressuring them to share their private recovery key. Once they have it, they can decrypt and read your entire chat history.
This is how the attack works and how to stop it.
Key Takeaways
- Attackers are sending in-app chat requests pretending to be 'Signal Support' to trick users into sharing their backup recovery keys.
- Your 30-digit backup recovery key is the sole key used to decrypt your cloud-stored and local chat history.
- Signal never initiates direct chats with users and will never ask for your PIN, SMS verification codes, or recovery keys.
- You can secure your account from takeovers by enabling Registration Lock and regenerating compromised recovery keys.
The Chaos Scenario: A Real-World Threat
You’re rushing through a busy transit terminal, checking messages over spotty public Wi-Fi. Your phone buzzes with a chat request from an account using the Signal logo, titled “Signal Support.”
The message says a database sync issue has put your entire message history at risk of permanent deletion. To fix it, you’re told to copy your 30-digit backup recovery key from settings and paste it directly into the chat.
If you’re a journalist protecting sources or an activist coordinating a campaign, panic sets in. You don’t want to lose years of messages, so you paste the key.
Within minutes, attackers register your number on a new device, decrypt your backups with the stolen key, and lock you out completely.
Anatomy of the Signal Support Phishing Campaign
This attack exploits the trust users have in Signal’s security. When you know a platform is built for privacy, you’re less suspicious of security warnings that show up inside the app.
The phishing message follows a predictable pattern:
[Signal Support]
ALERT: A critical database synchronization conflict has been detected on your device.
Your secure backups are at risk of permanent loss.
To verify ownership and sync your message history, please go to:
Settings > Chats > Chat Backups and provide your 30-digit Recovery Key.
Failure to verify within 24 hours will result in account termination.The False Premise
This warning is completely fake. Signal’s servers are zero-knowledge. The platform doesn’t monitor database sync status for individual accounts, and there’s no mechanism to “verify” backups using your private key.
If you hand over that key, you’re not fixing a sync error. You’re giving the attacker your database decryption code.
The Security Mechanics: PIN vs. Recovery Key
To protect your account, you need to understand the two layers of authentication Signal uses:
| Security Layer | What It Is | What Happens If Compromised |
|---|---|---|
| Registration PIN | A 4-to-8 digit PIN used to verify your identity when installing Signal on a new device. | An attacker can take over your account on a new phone, but they cannot read your old message history. |
| Backup Recovery Key | A 30-digit numeric key generated on your device that encrypts your message store. | An attacker who has taken over your account can download your encrypted backup from the cloud and decrypt it, reading all messages. |
Normally, if an attacker intercepts your SMS code, they can register your account on their device but get a blank screen. Your chats stay encrypted on your device or in your private cloud backup.
But combine an SMS swap with a stolen recovery key from a phishing attack, and the attacker gets full access to your entire readable archive.
How to Protect Your Signal Account
Two built-in security features can protect you from account takeovers and message leaks.
1. Enable Registration Lock
Registration Lock prevents anyone from re-registering your phone number on a new device without entering your Signal PIN. This blocks attackers even if they manage to redirect your SMS codes via SIM-swapping.
To turn this on:
- Open Signal on your device.
- Tap your profile icon to open Settings.
- Navigate to Account.
- Toggle Registration Lock to ON.
If you forget your PIN, you will be locked out of your account for 7 days if you attempt to register Signal on a new device. Keep this PIN stored securely in an offline password manager.
2. Regenerate a Compromised Recovery Key
If you think you’ve pasted your recovery key in a chat or exposed it in a screenshot, revoke the old key and generate a new one right away.
To rotate your recovery key:
- Open Signal Settings and select Chats.
- Tap Chat Backups.
- Tap Turn Off to disable backups. This action deletes your existing backup file and invalidates the active recovery key.
- Tap Turn On to re-enable backups.
- Signal will prompt you to generate a new 30-digit recovery key. Write this key down or save it inside your encrypted password manager.
Your Defense Checklist
- Ignore Unsolicited Support Chats: Signal will never initiate a direct message conversation with you. If you see a user icon labeled “Signal Support” or “Signal Admin” reaching out to you, block and report the contact.
- Never Share Your Key: No legitimate security platform, developer, or administrator will ever ask for your PIN, verification code, or recovery key.
- Verify Out-of-Band: If you receive a warning about account status, check Signal’s official status page or documentation online instead of interacting with the sender.
What to Read Next
- Emergency Privacy Kit: Shield Your Device — Secure your mobile OS from surveillance.
- Private Messengers: Signal vs. Alternatives — Compare metadata footprints across secure messaging apps.
- Tor for Beginners: Secure Browsing — Protect your traffic endpoints from interceptors.
Frequently Asked Questions
Can Signal support staff contact me in the app?
No. Signal does not have an in-app chat support system. Support is handled exclusively through their official web help desk. Any account claiming to represent support in your contact list is an impersonator.
Can an attacker read my chats if they only have my SMS verification code?
No. Your messages are encrypted locally on your device. If an attacker gains your SMS code, they can register your number, but they will not be able to read any past chat logs unless they also have your 30-digit recovery key to decrypt your backups.
How do I check if my backups are encrypted?
All backups generated by Signal are encrypted by default using AES-256. They cannot be turned on without generating a recovery key, which is the only key capable of unlocking the backup archive.
Where should I store my Signal recovery key?
Write it down on a physical card and keep it in a secure location, or save it inside a local, encrypted password manager. Never store it as a plain text file on your desktop, and never save it inside your phone’s default unencrypted notes app.
Related Articles
Deepen your understanding with these curated continuations.
IRS Dirty Dozen 2026: The Definitive Guide to This Year's Tax Scams
From AI voice cloning to 'Ghost' preparers and Form 2439 abuse, here is the complete breakdown of the 2026 IRS Dirty Dozen scams and how to stay safe.
AI-Powered Phishing: Why You Can No Longer Trust Your Inbox
Phishing isn't about typos anymore. It's about perfect LLM lures and deepfake voices that sound exactly like your boss. Here is how I protect systems in 2026.
AI vs. AI: The Complete 2026 Guide to Killing Phishing and Scams
Protect yourself from AI-powered scams, voice cloning, and phishing. Learn to use smart tools and defense strategies to secure your identity and money in 2026.