SignalMar 9

We are aware of recent reports regarding targeted phishing attacks that have resulted in account takeovers of some Signal users, including government officials and journalists. We take this very seriously.

To be clear: Signal’s encryption and infrastructure have not been compromised and remain robust. These attacks were executed via sophisticated phishing campaigns, designed to trick users into sharing information – SMS codes and/or Signal PIN – to gain access to users’ accounts.

Show threadSignalMar 9
These attacks, like all phishing, rely on social engineering. Attackers impersonate trusted contacts or services (such as the non-existent “Signal Support Bot”) to trick victims into handing over their login credentials or other information. To help prevent this, remember that your Signal SMS verification code is only ever needed when you are first signing up for the Signal app.
Show threadSignalMar 9

To protect people from such phishing, Signal actively warns users against sharing their SMS code and PIN.

We also want to emphasize that Signal Support will *never* initiate contact via in-app messages, SMS, or social media to ask for your verification code or PIN. If anyone asks for any Signal related code, it is a scam. We make this clear when users receive their SMS code during initial signup.

Show threadSignalMar 9

While we build robust technical safeguards, user vigilance is ultimately the best defense against phishing. We will continue to work on mitigating these risks via interface design and signposting throughout the app. In the meantime, please stay alert, and never share your SMS verification code or Signal PIN with anyone.

https://support.signal.org/hc/en-us/articles/9932566320410-Staying-Safe-from-Phishing-Scams-and-Impersonation

Staying Safe from Phishing, Scams, and Impersonation

We provide a privacy-first, end-to-end encrypted (E2EE) messaging and calling platform designed so only you and your intended recipients can communicate securely. Even with strong encryption, attac...

Signal Support
Show threadMieszko Ślusarczyk
@signalapp implementing authentication using more secure methods (passkeys, physical security keys) could eliminate that risk.
Mar 10 at 12:27amIvory for iOS
Show threadzvyn3d ago
@spitfire @signalapp that does not solve the same problem as far as I understand. As I understand it, the scam consists of setting up a new phone device and getting the SMS confirmation code or PIN for transferring to that device from the victims phone number via phishing. Using anything loosable or device-local would mean locking out some users (=phone numbers) indefinetly.
Show threadMieszko Ślusarczyk3d ago
@zvyn @signalapp passkeys can be synced across devices. You can’t share a passkey with a scammer (all you’re sending is the public key) like you can with TOTP code.
Show threadzvyn3d ago
@spitfire @signalapp the SMS code is still needed to confirm the phone number of the new device. But you are right that keeping the same account could be tied to a passkey instead of the PIN.
Show threadMieszko Ślusarczyk3d ago
@zvyn @signalapp is used quite often by security conscious people, introducing security key support would be in line with its purpose