Attackers are texting Signal users posing as Support, asking for backup recovery keys. Once obtained, they can decrypt the entire message history, not just future chats.A phishing campaign is currently targeting Signal users with text messages that impersonate Signal Support and ask them to hand over their backup recovery key. The message looks urgent, warns of imminent data loss, and asks the victim to paste a 64-character key directly into the chat. That key unlocks everything.“A new phishing campaign is targeting Signal users by attempting to steal their backup recovery keys to access encrypted message archives.” reads the report published by MalwareBytes. “The attack is initiated by a text message pretending to come from Signal Support.”The message reads like this: your Signal account data is at risk of permanent loss due to a sync issue, go to Settings, find your recovery key, copy it, paste it here. The “Name not verified” label under the sender is visible to anyone who looks, but urgency and fear of losing years of messages are effective enough that some people don’t look.The attack targets Signal’s Secure Backups feature, which stores encrypted archives of your conversations on Signal’s servers. The recovery key is what decrypts them. It never leaves your device and is never shared with Signal itself. If an attacker gets that key and can access your account, they can download and decrypt your entire message history, not just what’s sent after a compromise, but everything stored in the backup.“That key should never leave the user’s device and is never shared with Signal’s servers. If hackers obtain this key and gain control of a victim’s account, they can download and decrypt the entire message history.” continues the report.“For an attacker, that’s even better than hijacking an account, which would only give them access to future messages.”That’s the point. Most account takeover attacks give you a forward-looking window. This one gives you the archive. Journalists, activists, lawyers — anyone whose past conversations are sensitive — is a more valuable target than someone whose history is mundane.For now, the attacks appear targeted. Reports have emerged of campaigns against journalists and Chinese activists, and researchers who track threats against dissidents and human rights workers have flagged the pattern. But targeted attacks rarely stay targeted once the technique proves effective. The mechanics are simple enough to copy.To stay safe, remember that Signal will never contact users first or ask for registration codes, PINs, or recovery keys. Treat unsolicited support messages as suspicious, avoid clicking links in account-warning messages, and never share verification codes or authentication secrets. Enable security features such as registration locks, PIN protection, and device-change alerts. Using disappearing messages can reduce exposure if an account is compromised, and scam-detection tools can help identify phishing attempts.Recently, suspected Russian phishing via Signal targeted German officials, exploiting trust to access accounts and sensitive political communications.According to multiple reports [1, 2, 3], the campaign targeted high-profile individuals, including German politicians, ministers, military personnel, diplomats, and journalists. German prosecutors have launched an investigation into what they believe may be a coordinated espionage effort, with early evidence suggesting a state-sponsored actor.Victims were approached through messages impersonating official Signal support or trusted contacts, prompting them to share authentication codes, scan malicious QR codes, or click on crafted links. Once compromised, attackers gained access to private chats, contact lists, and potentially sensitive political discussions.One of the most notable targets was Julia Klöckner, whose account was reportedly compromised through a phishing attempt embedded in what appeared to be a legitimate group chat linked to her political party. The operation also attempted to target German Chancellor Friedrich Merz, although no compromise was confirmed in that case.Authorities estimate that hundreds of accounts may have been affected. Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, Signal)