We are aware of recent reports regarding targeted phishing attacks that have resulted in account takeovers of some Signal users, including government officials and journalists. We take this very seriously.
To be clear: Signal’s encryption and infrastructure have not been compromised and remain robust. These attacks were executed via sophisticated phishing campaigns, designed to trick users into sharing information – SMS codes and/or Signal PIN – to gain access to users’ accounts.
To protect people from such phishing, Signal actively warns users against sharing their SMS code and PIN.
We also want to emphasize that Signal Support will *never* initiate contact via in-app messages, SMS, or social media to ask for your verification code or PIN. If anyone asks for any Signal related code, it is a scam. We make this clear when users receive their SMS code during initial signup.
While we build robust technical safeguards, user vigilance is ultimately the best defense against phishing. We will continue to work on mitigating these risks via interface design and signposting throughout the app. In the meantime, please stay alert, and never share your SMS verification code or Signal PIN with anyone.
Thank you for pointing this out
@DLink @signalapp this right here.
> We also want to emphasize that Signal Support will *never* initiate contact via in-app messages,
Where is that bold *never* with the "in-app news"?
This is where *you* teach the Average Joe that there may in fact be in-app messages *by you*. Messages nobody actively asked for.
@signalapp as careful as this message is, I think it could be improved. If someone goes to a web page and get phished by being asked to type it into the page, the message will not dter them because it's not someone "asking for the code".
I think the message should say something about where it's intended to be used.
😂
"in a stunning development today, a random mastodon user showed they were able to take over Signal's Signal account. details of the hack remain unclear"
Hmmm, and what about the monthly reminder to enter the personal smartphone code? How to differentiate this from the other?
@unaegeli @signalapp My guess: the reminder is a pop-up dialog. It's not a signal message, email, or text.
I, too, would like to hear Signal's answer to this question.
@unaegeli @signalapp I was just thinking of this.
It sounds like Signal is fairly unique in this setup. We're constantly being bombarded with verification requests, and it can be easy to forget one app works differently.
@solitha
I mean it's hard for some non technical users to make them understand what is the "trusted context" and what is not I suppose?
I mean we had that with mail for years, people should know to check the senders mail, yet still Phishing attacks are often successful.
@unaegeli @signalapp
@PupWrafie Even a legitimate sender's email is not enough. Wasn't all that long ago that someone managed to send out emails *from* company addresses via a third-party vulnerability.
Scammers will always find a way. It's up to the company to take all reasonable steps to alert customers.
@unaegeli
-That's a different code
-It's very clearly a popup, and not in a chat
-To abuse it, one would already need access to the account, i.e. through having completed the other attack
I feel like that reminder is distinct enough as it is
@signalapp
I see the difference now, thanks.
@kainisenni
I think that @unaegeli has a very strong argument. Although different, those reminders condition you to regularly enter a PIN or password. If it happens twice in a row, first the SMS and then your PIN, it's possible to take over an account, especially if you are very busy with something, absent-minded and having a 'blonde' moment.
How can anyone be dumb enough not to remember/write down their PIN, to need reminders??
You should add the ability to sign up with email. I'm not sure that Russian users can log in with a code from SMS.
OK. What about WhatsApp or Telegram?
@izby @signalapp I don't really care what happens to them since I rarely use them. It would be better for everyone if the 3B people on WhatsApp and billion on Telegram also used Signal, but that's not currently the case.
WhatsApp has been Zucked since 2016. Constantly screaming about how private and secure it is while not being open-source means it's probably not secure or private, and even more so when it's a Facebook product.
Everything you do on Telegram is stored in plaintext by default on Telegram's servers, it has a long history of sketchy security, was created by a Russian billionaire, and has been banned, unbanned, and could be banned again in Russia. There was a report in October last year that Telegram is very likely an FSB Honeypot: https://rys.io/en/179.html#:~:text=The%20assumption%20seems%20to%20have%20always%20been,this%20is%20much%20less%20of%20a%20consideration.
I have WhatsApp and Telegram, but I don't do much on either but lurk in sports channels.
This is why I stick to Signal for all my communication. They don't have data to hand over because they don't collect it: https://signal.org/bigbrother/
What are you talking about and which of my arguments are you trying to argue with?
My position: registration by phone number is too dangerous and is not available in some regions where Signal is really needed.
Your position: registration by phone number saves you from tons of spam.
So I asked the question: did registering by phone number save you from spam on WhatsApp and TG?
What matters is how my counterargument influences your counterargument. That's how discussion works.
Bina Femaroll
Signal
ExcelAnalytics
Jakob Nitschke
betalars 
@home
DLink
Beko Pharm
Kaito
Mieszko Ślusarczyk
Elias Mårtenson
FQQD :3 
ᴮᵉⁿ ᴿᵒʸᶜᵉVOTE IN THE PRIMARIES
zrb
Urs Naegeli 🇨🇭🇺🇦
Joel VanderWerf
Raphael
Solitha
PupWrafie
DistroWatch
gunstick
kainisenni
⁉️
Dec [{(
)}]
El Duvelle
Sam Izby
👊🇺🇸🔥