Secure messaging app Signal has issued a warning that government officials and journalists had their accounts taken over by cybercriminals after falling for phishing scams. The app confirmed that the attacks were not the result of a breach in its encryption or infrastructure but rather the result of targeted social engineering tactics.

How the Scams Worked

Signal stated in a statement that attackers impersonated trusted contacts or services, including a fake ‘Signal Support Bot,’ to trick users into sharing their SMS verification codes or Signal PINs. These codes are only required during the initial sign-up process and should never be shared with anyone, the app said.

‘We are aware of recent reports regarding targeted phishing attacks that have resulted in account takeovers of some Signal users, including government officials and journalists. We take this very seriously,’ Signal said in its statement.

The app emphasized that its support team will never initiate contact via in-app messages, SMS, or social media to ask for verification codes or PINs. If users are approached with such requests, they are advised to treat it as a scam.

Impact on Government and Media

According to recent reports, UK and Dutch government officials have been repeatedly targeted in Signal phishing efforts. The app has also confirmed that the attacks were not limited to these regions but have affected users globally.

Last year, sensitive information about the Trump administration’s secret war plans in Yemen was leaked after a government official accidentally added The Atlantic editor-in-chief Jeffrey Goldberg to a Signal group chat. The incident highlighted the risks of using encrypted messaging apps without proper caution.

Former Trump administration official Katie Miller, wife of White House Deputy Chief of Staff Stephen Miller, commented on the security of Signal, stating, ‘It’s actually pretty common and not that sophisticated — one of the reasons Signal shouldn’t be fully trusted.’ Her remarks underscore the ongoing debate about the reliability of encrypted communication platforms.

Signal’s Response and Future Measures

Signal has been actively working to prevent such phishing attempts by educating users on the importance of not sharing their SMS codes or PINs. The app has also implemented design changes to make users more aware of potential scams, such as clearly stating that verification codes are only needed during the initial sign-up process.

‘While we build strong technical safeguards, user vigilance is ultimately the best defense against phishing,’ Signal stated. The company has committed to continuing its efforts to mitigate these risks through improved interface design and clearer warnings within the app.

Signal’s response highlights the growing threat of phishing attacks against high-profile individuals and the need for both technical and user-based defenses. As the use of encrypted messaging apps continues to rise, so too does the risk of targeted cyberattacks.

Users are being urged to remain alert and to never share their verification codes or PINs with anyone. Signal has also reiterated that its encryption and infrastructure remain secure and strong, and the attacks are solely the result of social engineering tactics.