TL;DR - Signal is end-to-end encrypted, but there is one thing that can restore and unlock your entire message history: your Backup Recovery Key. The FBI and CISA warned this week that Russian intelligence hackers are phishing people into handing it over, by posing as Signal support and claiming a "mandatory" new security step. This campaign targets officials and journalists, but the trick works on anyone. The rule that beats it: no real service ever asks you to paste a recovery key. That request is the scam.
Signal has a deserved reputation as one of the most private messaging apps you can use. Everything is end-to-end encrypted, which means even Signal itself cannot read your messages. So a warning from the FBI and CISA this week sounds almost contradictory: Russian intelligence hackers are stealing people's Signal message history. They are not breaking the encryption. They are getting people to hand over the one key that makes the encryption beside the point.
What the backup key actually is
Signal lets you back up your messages so you do not lose them when you change phones. To protect that backup, it gives you a long Backup Recovery Key, a string of characters that is the only thing able to unlock and restore it. It is meant to live somewhere safe and private, like the recovery codes your bank or password manager hand you and tell you to keep secret.
Anyone who has that key can restore your backup on their own device and read everything in it. That is the point of it working, and it is also exactly why it is worth stealing.
How the scam works
The attack, which the FBI and CISA detailed in an updated advisory this week, starts with a message pretending to be from Signal support. It claims that after a wave of attacks, Signal is rolling out a mandatory new two-factor security step you need to complete right now. Then it walks you through it: turn on Signal backups, open your Backup Recovery Key, and paste it into the chat to confirm.
Hand it over once, and the attacker restores your backup on their device, reads your entire private and group history, and can take over the account. Worse, setting up a fresh Signal account on the same phone number does not cancel the stolen key, so the usual instinct of just reinstalling the app does not save you.
"But I'm not a Russian spy"
Fair point, and worth being honest about: this specific campaign is hunting high-value targets, including current and former government officials, military, journalists, and people connected to Ukraine. Not the average person.
But two things make it your problem anyway. The technique, tricking someone into handing over a recovery key, is not special to Signal or to spies. It is the same move used against crypto wallets, password managers, and bank accounts every single day. And tactics that work for state hackers get copied down to ordinary scammers fast. The specific targets this month are not you. The method absolutely could be.
The one rule that defuses all of it
There is a single rule here, and it goes well beyond Signal: no legitimate company will ever ask you to read out, paste, or share a recovery key, a backup key, a seed phrase, or a set of recovery codes. Those things exist precisely so that only you hold them.
The moment a message, a "support agent", or a pop-up asks you to hand one over, you are not completing a security step. You are being robbed of the one thing that protects you. And a real mandatory security feature never arrives as a message telling you to paste a secret into a chat with urgency attached.
What to actually do
- Never share a recovery or backup key with anyone, for any reason, no matter who they claim to be. There is no legitimate situation where you need to.
- Treat "urgent mandatory new security step, do it right now" as a red flag by itself. The urgency is the pressure, and pressure is the scammer's main tool.
- If you want to change a security setting, open the app yourself and do it in its real settings. Do not follow steps that someone sent you in a message.
- If you have already pasted a recovery key somewhere, assume it is burned. In Signal's settings, turn off and reset your backup so the old key stops working, and re-secure the account.
Encryption is brilliant at stopping someone reading your messages in transit. It can do nothing about you being talked into opening the door yourself. The good news is that the defence is as simple as the attack: your keys are yours, and nobody legitimate will ever ask you for them.
