SAN FRANCISCO: The encrypted messaging app Signal has said it will introduce additional security measures following phishing attacks targeting politicians, military personnel and journalists in several countries in recent months.
Signal wrote in a post on social media on Monday "in the coming weeks, you’ll see us rolling out a number of changes to help hinder these kinds of attacks," without giving further details.
Signal also stressed that the app's encryption and software had not been hacked. Instead, attackers have tricked users by posing as Signal Support to get login details, Signal said. Every major messaging app was vulnerable to such attacks, in which attackers persuade users to let them in through the "front door."
In recent months, phishing attacks on Signal have been detected in the UK, the Netherlands and most recently Germany, with both Dutch and German officials suggesting that Russia is behind the campaign.
Security officials have warned users to be wary of a suspected state-sponsored phishing campaign targeting Signal, an app known for its high levels of user privacy.
Germany is considering a switch from Signal to Wire for its lawmakers. Andrea Lindholz, Vice-President of Germany's Bundestag, told tabloid Bild that phone numbers aren't disclosed on Wire, email addresses aren’t visible, and the level of security is "significantly higher."
Germany's domestic intelligence agency, the Federal Office for the Protection of the Constitution (BfV), and the Federal Office for Information Security (BSI) had first publicly warned of the ongoing cyberattack in February. They later published a further security advisory with specific guidance on what users should do.
Signal said that because it does not store user data as a matter of principle, it was dependent on information from affected users about the attack.
Users reported that attackers had used the fraudulently obtained login credentials to take over accounts – and in many cases also changed the phone number linked to the account. Using the hijacked accounts, they then exploited contact lists and impersonated the account owners.
Signal also stressed that the app's support staff would never ask for verification codes or PINs.
Signal's encryption enjoys such a high reputation that last year senior US government officials, including Vice President JD Vance and Defence Secretary Pete Hegseth, used the app to discuss attacks on the Houthi militia in Yemen.
The contents of those chats became public, however, after the editor-in-chief of The Atlantic, Jeffrey Goldberg, was accidentally added to a group chat. – dpa
