Signal2d ago

We are aware of recent reports regarding targeted phishing attacks that have resulted in account takeovers of some Signal users, including government officials and journalists. We take this very seriously.

To be clear: Signal’s encryption and infrastructure have not been compromised and remain robust. These attacks were executed via sophisticated phishing campaigns, designed to trick users into sharing information – SMS codes and/or Signal PIN – to gain access to users’ accounts.

Show threadSignal2d ago
These attacks, like all phishing, rely on social engineering. Attackers impersonate trusted contacts or services (such as the non-existent “Signal Support Bot”) to trick victims into handing over their login credentials or other information. To help prevent this, remember that your Signal SMS verification code is only ever needed when you are first signing up for the Signal app.
Show threadSignal2d ago

To protect people from such phishing, Signal actively warns users against sharing their SMS code and PIN.

We also want to emphasize that Signal Support will *never* initiate contact via in-app messages, SMS, or social media to ask for your verification code or PIN. If anyone asks for any Signal related code, it is a scam. We make this clear when users receive their SMS code during initial signup.

Show threadRichard Bairwell
@signalapp Why not change the message to "To setup Signal on your new phone, please enter code ..." to make it absolutely clear what the code is for and create additional friction for scammers as they'll have to come up with an excuse as to why it says new phone.
Mar 9 at 7:22pmWeb
Show thread👊🇺🇸🔥1d ago
@rbairwell @signalapp It's not always a new phone. Just a few months ago I purged Signal from my phone before going through CBP on my way back from an international trip, then put it back on the same phone.
Show threadRichard Bairwell1d ago
@Avitus @signalapp True, but at least you would be expecting it and the prompt would make some sense: if it was someone malicious saying "We r Signal, plz confirm the security codez" and the message said "To install on a new phone" I hope most people would question the message.