Hackers are targeting Signal users in an attempt to steal their chat backups as part of a new phishing campaign, TechCrunch has learned.

Washington Post analyst Josh Rogin posted a screenshot of the attack, in which hackers impersonate Signal’s support team and warn targets that their backed-up chats and media are “at risk of permanent loss due to a sync issue.” The message instructs targets to share their recovery key — used to access online backups — with the attackers.

“This links your existing backup to your account. Failure to do this may result in losing access to your account and all stored data,” read the message, purporting to come from an account called Signal Support.

Rogin noted that several anti-Chinese Communist Party activists have received this malicious message. Mohammed Al-Maskati, director at Access Now’s Digital Security Helpline — which investigates cyberattacks against journalists, dissidents, and human rights activists — told TechCrunch that two additional people shared similar messages with him, and that neither are Chinese activists. This suggests the campaign may be broader in scope, targeting other communities, or that multiple threat actors are using the same approach.

Al-Maskati noted that stealing a victim’s recovery key is only one step in the attack; hackers would still need to take over the victim’s account to complete it.

Signal has stated that it “will never reach out” to users first, and will never ask for a registration code, PIN, or recovery key. Any message claiming to be from “Signal Support” should be treated as malicious. The organization publicly warned about this type of attack last month.

This campaign differs from previous Signal-targeting attacks, which attempted to hijack accounts and impersonate users — often to access contacts or send messages as the account owner. Those attacks did not expose past messages, since re-registering an account on a new device does not carry over older chat history. Targeting backups directly is a newer approach that could give attackers access to a victim’s historical messages, photos, and documents.

Source: Phishing Campaign Targets Signal Users’ Chat Backup Recovery Keys