Signal issues scam warning to users after hackers target officials
Getty ImagesSignal has warned users to look out for signs of scams, after Dutch intelligence said high-profile users of the secure messaging app were being targeted by hackers.
Dutch cybersecurity agencies said on Monday a Russia-backed campaign had targeted individual users of Signal, as well as WhatsApp.
They said this had seen hackers pose as support staff to try and obtain details that would give them access to accounts or hijack linked devices - with Dutch officials, military staff and civil servants among those targeted in the "global" campaign.
Signal says its systems remain secure but it is taking reports of such activity "very seriously".
The campaign was identified by Dutch intelligence agencies, the Military Intelligence and Security Service (MIVD) and General Intelligence and Security Service (AIVD).
They said in a press notice the "large-scale global cyber campaign" appeared to target people of interest to the Russian state, such as government officials and journalists.
"It is not the case that Signal or WhatsApp as a whole have been compromised. Individual user accounts are being targeted," said Simone Smit, AIVD director-general.
Signal reiterated this in a series of posts on X, stressing its systems "have not been compromised and remain robust".
"These attacks were executed via sophisticated phishing campaigns, designed to trick users into sharing information – SMS codes and/or Signal PIN – to gain access to users' accounts," it wrote.
So-called phishing attacks see criminals attempt to convince users to part with passcodes, money or details about their identity - often by impersonating customer support agents, friends, family and celebrities.
In the campaign identified by Dutch intelligence agencies, hackers pretended to be Signal Support to try and get people to share account details.
Allow X content?
Users are asked when creating a Signal account to secure it with a PIN code - something it says should never be shared with anyone.
The company added users should also not share verification codes messaged to their phone number.
WhatsApp has given similar advice, saying users should not share six-digit codes used to secure their account.
It also says people can take extra steps to secure their accounts, including by blocking unknown messages or calls.
'Human bugs'
Signal has stressed while they have protections in place, "user vigilance" is the best way to combat phishing attempts.
"Security features are being weaponised against the users," said Muhammad Yahya Patel, cybersecurity advisor at security firm Huntress.
"In the past, hackers looked for bugs in code. Now, they are looking for human bugs in how humans interact with apps," he told the BBC.
He said convenient features such as letting users access their account on other devices via QR codes, or regain access to it with text verification codes, have become "primary attack vectors being used by criminals".
Patel urged people to regularly check devices linked to their account in settings to make sure no one else can access their messages.
He said users should also be mindful that using an app with end-to-end encryption (E2EE) does not mean "total security".
Getty ImagesE2EE, used to protect messages on Signal and WhatsApp, means only the sender and receiver of a message can read it.
"This type of encryption can't protect the account and device if it becomes compromised," Patel said.
Dutch intelligence services believe Russia targeted Signal because its reputation as a highly secure app has made it popular with officials seeking to communicate securely.
But they said this has also made the app "the ideal place for malicious actors" to try and capture sensitive information.
"Despite their end-to-end encryption option, messaging apps such as Signal and WhatsApp should not be used as channels for classified, confidential or sensitive information," said MIVD director Peter Reesink.
Sign up for our Tech Decoded newsletter to follow the world's top tech stories and trends. Outside the UK? Sign up here.
