FBI Warns Russian Intelligence Hackers Target Signal Backup Recovery Keys

The FBI and CISA have updated their March warning about Russian intelligence phishing Signal accounts, and the operators have added a step: they now coax targets into handing over their Signal Backup Recovery Key. Hand it over once, and the attacker can restore the account's backup, read the private and group message history, and take over the account. Worse, the key keeps working.

According to FBI and CISA, Russian intelligence-linked threat actors have evolved an existing phishing campaign against Signal users to now socially engineer targets into enabling backups and revealing their Signal Backup Recovery Key, which allows attackers to restore backups, read historical private and group messages, and take over accounts.[1][2][3] The advisory notes that the same key can continue to be used against future accounts registered to the same phone number unless the user regenerates a new key in Signal settings, and that encryption itself is not broken—the account holder is the weak point.[1][2] From a CyberSE.AI perspective, this demonstrates how highly sensitive communications data can be compromised without defeating cryptography, by targeting user account recovery and backup flows instead; AI-enabled systems that integrate with messaging platforms or use similar backup/recovery mechanisms should be assessed for social-engineering exposure, enforced key rotation, and robust verification of support communications to prevent comparable large-scale data leakage.