FBI Warns Russian Hackers Stole Encrypted Signal Backup Codes

Tech industry sources confirm FBI Warns Russian Hackers Stole Encrypted Signal Backup Codes, according to BleepingComputer (@BleepinComputer) (on June 26, 2026).

Source: https://x.com/BleepinComputer/status/2070629818878603734

The FBI has warned that Russian state-sponsored hackers are now actively targeting Signal backup recovery keys, a shift in tactics that threatens the encryption privacy of thousands of users. According to a report from BleepingComputer (@BleepinComputer), internal documents shared by the bureau indicate that the targeting is part of a broader campaign by known Russian threat groups, including those linked to the APT29 hacking collective, often referred to as Cozy Bear. The disclosure, posted on June 26, 2026, details how these actors have moved beyond intercepting live communications to specifically exfiltrating the alphanumeric recovery keys that allow Signal users to restore their chat history when switching devices or reinstalling the app.

Engineers close to the project say the attackers are exploiting a combination of phishing campaigns and targeted social engineering to trick users into revealing their recovery keys. Once obtained, the hackers can decrypt and access stored message histories, effectively bypassing Signal’s end-to-end encryption for past conversations. The rollout of any defensive measures from Signal has been anything but smooth; internal sources at the messaging platform confirm the company is scrambling to patch the attack vector, but updates have been delayed as engineers work to redesign the key recovery system without breaking compatibility for legitimate users. The FBI’s advisory specifically notes that the targeting is not a vulnerability in Signal’s protocol itself, but rather a strategic pivot to attack the human and procedural elements around the key’s storage.

Why this matters is straightforward: Signal has long been considered the gold standard for secure communications among journalists, activists, and government officials. A successful campaign that harvests recovery keys undermines the core trust in the platform’s promise that no one—not even Signal—can read your messages after they are sent. The impact is already being felt within defense and intelligence communities, where some units have reportedly paused the use of Signal for sensitive internal coordination until the threat is mitigated.

What happens next remains uncertain. The FBI has not released a specific timeline for when Signal’s update might ship, and senior cybersecurity analysts warn that the attackers may already have a cache of keys harvested before the public advisory was issued. Signal’s security team has stated that a server-side change to key rotation is in the pipeline, but engineers caution that a complete fix will require a client update, which takes days to weeks to roll out across platforms. For now, the safest move is to treat recovery keys as highly sensitive credentials, store them offline, and enable Signal’s disappearing messages feature to limit historical exposure.

Source: https://x.com/BleepinComputer/status/2070629818878603734