Signal Users Targeted In Phishing Attacks Trying To Steal Backup Recovery Keys

Signal users are being targeted in a new phishing campaign that tries to steal the recovery keys used to unlock encrypted chat backups. The messages impersonate Signal Support and warn recipients that their chats and media could be lost unless they share a backup recovery key.

The campaign was publicly flagged after Washington Post analyst Josh Rogin posted a screenshot of the fake message on May 27, 2026. A TechCrunch report said the phishing messages were also seen by anti-CCP activists and by people who contacted Access Now’s Digital Security Helpline.

The attack targets a sensitive part of Signal’s security model. Signal’s Secure Backups feature protects backup archives with a 64-character recovery key that is generated on the user’s device and never shared with Signal’s servers.

How The Signal Backup Phishing Attack Works

The scam starts with a message from an account pretending to be Signal Support. The message claims that the user’s backed-up chats and media are at risk because of a sync issue. It then asks the user to paste their recovery key into the chat to keep the backup linked to the account.

The message uses urgency to make the request feel legitimate. That tactic matters because many users trust Signal as a private messaging app and may not expect a phishing attempt to arrive inside the app itself.

Malwarebytes reported that the attacker still needs account access before using the stolen recovery key to restore and decrypt a backup. Even so, stealing the key is a critical step because the backup cannot be decrypted without it.

Attack stage	What happens	Why it matters
Impersonation	A fake account claims to be Signal Support	Victims may trust the request because it appears inside Signal
Urgent warning	The message claims chats and media may be lost	Users may act quickly without checking the request
Key theft	The victim is asked to share a 64-character recovery key	The key can unlock an encrypted backup if the attacker also gains account access
Backup access	The attacker tries to restore the encrypted archive	Older messages, files, photos, and documents may be exposed

Why The Recovery Key Is So Valuable

Signal Secure Backups are optional, but they can contain a large amount of private data. Signal says a secure backup archive can include text messages and recent media, while a paid plan can store more media history.

The recovery key is the only way to unlock that encrypted archive. Signal’s backup support page says no one, including Signal, can read, decrypt, or restore a Secure Backup Archive without the unique recovery key.

That design protects users from server-side access, but it also makes phishing more dangerous. If a user gives the recovery key to an attacker, the attacker has obtained the secret that protects the archive.

Signal Says It Will Not Ask For Recovery Keys In Chat

Signal has clear guidance for this situation. The company’s phishing and impersonation guidance says Signal staff will never ask users to verify a PIN or recovery key in a chat conversation.

Signal also says staff will not initiate contact through phone calls, SMS, or social media. The only official Signal announcement chat is view-only, and users cannot exchange messages with it.

The company’s broader protection guidance tells users to slow down when someone creates urgency, avoid suspicious links, and remember that Signal will never ask for codes, PINs, keys, or payment information in a chat or call.

• Do not reply to messages claiming to be Signal Support.
• Never share a recovery key, Signal PIN, or verification code.
• Report and block suspicious message requests inside Signal.
• Confirm account warnings only through official Signal support channels.
• Review linked devices and security settings if you interacted with a suspicious account.

Why Journalists And Activists Are At Higher Risk

The campaign appears to have targeted people who rely on Signal for sensitive communications. Rogin said anti-CCP activists received the phishing attempt, while TechCrunch reported that Access Now’s Digital Security Helpline saw similar messages from two other people.

This is a phishing attempt. If you get this message on Signal, do not follow the instructions. Many anti-CCP activists have also received this phishing attempt. Beware and be aware. pic.twitter.com/8J1YDcpUAX

— Josh Rogin (@joshrogin) May 27, 2026

The TechCrunch article said those reports suggest the campaign could be wider than one activist community, or that more than one group may be using the same tactic.

This makes the attack especially serious for journalists, dissidents, activists, lawyers, researchers, and civil society groups. A stolen backup may contain years of conversations, source material, photos, documents, and contact history.

How Users Can Protect Their Signal Accounts

Users should enable Registration Lock to make account takeover harder. Signal says a PIN can serve as a registration lock, which adds another verification layer when someone tries to register the same phone number on a new device.

The Signal PIN page explains that the PIN helps recover profile, settings, contacts, and block list information, and can also support Registration Lock. Users should choose a strong PIN and avoid sharing it with anyone.

Users who already shared a recovery key should act quickly. They should delete the suspicious chat, report the account, review linked devices, enable or confirm Registration Lock, and consider deleting the old backup and creating a new secure backup with a new recovery key.

Protective step	What it helps prevent
Enable Registration Lock	Makes it harder for attackers to register your number on another device
Store the recovery key in a password manager or offline note	Reduces the chance of accidental sharing or cloud exposure
Report and block fake support chats	Helps stop the attacker from continuing the conversation
Use disappearing messages for sensitive chats	Limits how much old data may exist if an account is later compromised
Update Signal and your operating system	Keeps account and device protections current

What To Do If You Receive The Fake Signal Support Message

If a message asks for a recovery key, PIN, verification code, or payment detail, treat it as a scam. Signal’s official scam guidance tells users not to reply or share information, and to report and block the account in the app.

Users should also warn contacts who may be targeted, especially in activist, journalist, or civil society networks. If the attacker also tries to take over the phone number or Signal account, contacts may receive messages from a compromised profile later.

Malwarebytes researchers said the phishing campaign shows why users should never share a recovery key, even when the request looks urgent or official.

Secure Apps Still Need User Awareness

Signal’s encryption protects messages from many technical threats, but phishing attacks target user trust instead of breaking encryption. The attacker does not need to defeat Signal’s backup encryption if the victim voluntarily hands over the key.

This is why the safest rule is simple: Signal Support will not ask for secrets in a chat. Users should treat any message requesting a Signal recovery key as malicious, regardless of the account name, profile image, or tone of the message.

High-risk users should review Signal’s account protection tips, enable the protections available to them, and keep recovery keys stored somewhere safe and private. They should also remember that a Signal PIN and a backup recovery key serve different purposes, and neither should be shared with anyone.

FAQ