Russian intelligence did not break Signal. The encryption is fine. What happened, according to a joint FBI and CISA advisory published on 26 June 2026, is that Russian operatives convinced people to hand over their Signal backup recovery key, and Signal helpfully decrypted their entire message archive in return. The cryptography worked exactly as designed. But the person did not.
That distinction should change how businesses think about secure messaging as a security control.
Table of Contents
The Signal Backup Recovery Key Attack
The FBI links the campaign to two Russian Intelligence Services (RIS) clusters: UNC5792, tied to FSB officers, and UNC4221, attributed to Russian military services personnel. An earlier warning in March 2026 described thousands of compromised accounts worldwide. Those attacks targeted government officials, military personnel and journalists. But the June update brought a new step: stealing the Signal backup recovery key rather than just hijacking active sessions.
The Signal backup recovery key unlocks an encrypted archive of the account’s message history held on Signal’s servers. Once an attacker has it, they can restore that archive on their own device and read every message and file it contains. Importantly, the key does not expire when the account does. A user who discovers the phish, closes the account and opens a new one on the same number is still exposed unless they generate a fresh key in Settings first.
The phishing lure was an in-app message posing as Signal support. It warned of imminent data loss and walked the target through the steps to share the key. It worked because the target trusted the message, not because Signal had a flaw.
The Problem With “We Use Signal”
Switching to Signal is a genuine security improvement. End-to-end encryption means that a network-level attacker, an ISP or a compromised server cannot read messages in transit. That is a meaningful reduction in risk for many threat models.
But many organisations treat “we use Signal” as the end of the conversation, not the beginning. They have improved the channel without considering the person holding the phone. Signal’s encryption protects messages from interception. It does not protect the account holder from being tricked into handing over the credential that unlocks the backup.
Russian intelligence understood this before most businesses did. The March 2026 campaign showed that operatives with social engineering skills and a plausible pretext can read encrypted message histories at scale. They never touched the underlying cryptography. The June update confirms they have now refined the approach to capture a more persistent credential.
What Encryption Protects Against, and What It Does Not
End-to-end encryption is a channel control. It stops third parties reading messages in transit. Against an adversary who targets the person holding the device, it offers little protection.
This is not a new observation. In fact, security practitioners have made the same point about encrypted email and VPNs for years. Signal is no different in this respect. The recovery-key attack applies the same principle to a platform many organisations adopted specifically because they thought encryption made it secure.
The attack surface for encrypted messaging includes everything the encryption does not cover. That means the device lock screen, the account credentials, the backup settings, and whether the employee can recognise a social engineering attempt inside an app they trust.
What This Reveals About Security Testing
A penetration test that focuses on network segmentation, patch levels and application vulnerabilities would not have found this exposure. No scanner detects whether employees know not to share their Signal backup recovery key. No firewall blocks an in-app phishing message from reaching a member of staff on their personal phone.
Yet this risk only surfaces through staff awareness testing. Specifically, through simulated social engineering exercises that reflect the tools people actually use. Most phishing simulations test email. Fewer test in-app messaging, even though messaging apps are now a primary channel for sensitive work at many organisations.
If your team uses Signal for any business communications, ask a few questions. Do staff know Signal never sends in-app support messages? Do they know what a recovery key is and why it must never be shared? Have you tested whether they would spot this kind of attempt?
What to Do
For any employee who may have received an unsolicited “Signal support” message, the immediate steps are:
- Generate a new recovery key via Settings, then Chats, then Backups. This invalidates the old key for future backup downloads.
- Review linked devices under Settings and remove any that are not recognised.
- Enable Registration Lock to prevent number re-registration without a PIN.
Beyond these fixes, treat the advisory as a prompt to broaden your security awareness programme. Staff who use Signal for sensitive work should understand the specific social engineering risks attached to it. But general email phishing guidance is not enough.
UK organisations can report suspected incidents to the National Cyber Security Centre via ncsc.gov.uk, and to the IC3 at ic3.gov.
Subscribe to our newsletter for a weekly round up of what's happening in the cyber security world
