We are aware of recent reports regarding targeted phishing attacks that have resulted in account takeovers of some Signal users, including government officials and journalists.
-
We are aware of recent reports regarding targeted phishing attacks that have resulted in account takeovers of some Signal users, including government officials and journalists. We take this very seriously.
To be clear: Signal’s encryption and infrastructure have not been compromised and remain robust. These attacks were executed via sophisticated phishing campaigns, designed to trick users into sharing information – SMS codes and/or Signal PIN – to gain access to users’ accounts.
@signalapp These attacks wouldn't be possible if you stopped requiring phone numbers -
@signalapp recipients who are not native English speakers may not notice the giveaways in this and similar scams.
Thank you for pointing this out
-
We are aware of recent reports regarding targeted phishing attacks that have resulted in account takeovers of some Signal users, including government officials and journalists. We take this very seriously.
To be clear: Signal’s encryption and infrastructure have not been compromised and remain robust. These attacks were executed via sophisticated phishing campaigns, designed to trick users into sharing information – SMS codes and/or Signal PIN – to gain access to users’ accounts.
@signalapp "SMS codes" sounds like a you problem, though.
-
We are aware of recent reports regarding targeted phishing attacks that have resulted in account takeovers of some Signal users, including government officials and journalists. We take this very seriously.
To be clear: Signal’s encryption and infrastructure have not been compromised and remain robust. These attacks were executed via sophisticated phishing campaigns, designed to trick users into sharing information – SMS codes and/or Signal PIN – to gain access to users’ accounts.
@signalapp Since Signal always asks for a PIN code for backups, it seems logical that threat actors are exploiting this behavior to trick users.
-
@unaegeli @signalapp I was just thinking of this.
It sounds like Signal is fairly unique in this setup. We're constantly being bombarded with verification requests, and it can be easy to forget one app works differently.
@solitha
I mean it's hard for some non technical users to make them understand what is the "trusted context" and what is not I suppose?I mean we had that with mail for years, people should know to check the senders mail, yet still Phishing attacks are often successful.
@unaegeli @signalapp -
We are aware of recent reports regarding targeted phishing attacks that have resulted in account takeovers of some Signal users, including government officials and journalists. We take this very seriously.
To be clear: Signal’s encryption and infrastructure have not been compromised and remain robust. These attacks were executed via sophisticated phishing campaigns, designed to trick users into sharing information – SMS codes and/or Signal PIN – to gain access to users’ accounts.
@signalapp You know how you could solve that? Stop taking users' phone numbers, and especially stop using it for verification. EZPZ.
-
To protect people from such phishing, Signal actively warns users against sharing their SMS code and PIN.
We also want to emphasize that Signal Support will *never* initiate contact via in-app messages, SMS, or social media to ask for your verification code or PIN. If anyone asks for any Signal related code, it is a scam. We make this clear when users receive their SMS code during initial signup.
You should add the ability to sign up with email. I'm not sure that Russian users can log in with a code from SMS.
-
@Lizette603_23 @signalapp Please stay kind and on topic, alright? Signal is open for feedback in their Discourse Forum.
@voxel nope
-
We are aware of recent reports regarding targeted phishing attacks that have resulted in account takeovers of some Signal users, including government officials and journalists. We take this very seriously.
To be clear: Signal’s encryption and infrastructure have not been compromised and remain robust. These attacks were executed via sophisticated phishing campaigns, designed to trick users into sharing information – SMS codes and/or Signal PIN – to gain access to users’ accounts.
@signalapp
Thank you for explanations.1. When will mere users be able to detach Signal session from the mobile device?
This single functionality (doable for versed hackers but not for the general public) would stop such scams for high value targets like journalists, who would simply use a single-purpose wifi only desktop/tablet.
-
Hmmm, and what about the monthly reminder to enter the personal smartphone code? How to differentiate this from the other?
@unaegeli @signalapp One is an in-app prompt. The other is a message, text or email. They don't look anything alike.
-
We are aware of recent reports regarding targeted phishing attacks that have resulted in account takeovers of some Signal users, including government officials and journalists. We take this very seriously.
To be clear: Signal’s encryption and infrastructure have not been compromised and remain robust. These attacks were executed via sophisticated phishing campaigns, designed to trick users into sharing information – SMS codes and/or Signal PIN – to gain access to users’ accounts.
@signalapp those attacks.would've not.been successful if you weren't a #proprietary, #centralized, #SingleVendor / #SingleProvider "solution" that doesn't do #SelfCustoy of all the.keys nor allows for #SelfHosting nor demands #PII like #PhoneNumbers that can be leveraged for that.
- You know what I need to use @monocles / #monoclesChat or @gajim / #XMPP+#OMEMO?
- Internet connection and an account on any server.
Can't #phish if one doesn't have credentials for #phishing attacks ffs!
- Can't get #phished if noone demands, stores, process or even demands such details in the first place!
Also which #Government is that incompetent to not be able to setup their own comms?
- You know what I need to use @monocles / #monoclesChat or @gajim / #XMPP+#OMEMO?
-
These attacks, like all phishing, rely on social engineering. Attackers impersonate trusted contacts or services (such as the non-existent “Signal Support Bot”) to trick victims into handing over their login credentials or other information. To help prevent this, remember that your Signal SMS verification code is only ever needed when you are first signing up for the Signal app.
@signalapp yes, and you have control over all the #Signal usernames, so it's your failing to prevent thode that happen inside your platform!
- I know that like any decent system you can block keywords and strings from usernames, display names and so forth.
- If not tuey ou truly are criminally incompetent!
- I know that like any decent system you can block keywords and strings from usernames, display names and so forth.
-
To protect people from such phishing, Signal actively warns users against sharing their SMS code and PIN.
We also want to emphasize that Signal Support will *never* initiate contact via in-app messages, SMS, or social media to ask for your verification code or PIN. If anyone asks for any Signal related code, it is a scam. We make this clear when users receive their SMS code during initial signup.
@signalapp THERE IS NO LEGITIMATE REASON FOR #Signal TO DEMAND A #PhoneNumber (= #PII by circumstances if not mandatory doxxing to the governments aka. "#KYC")…
- so yes I do blame Signal because this attack vector is unique to #Signal's shittyness and would not exist with @monocles / #monoclesChat or even
cock.liof all places…
- so yes I do blame Signal because this attack vector is unique to #Signal's shittyness and would not exist with @monocles / #monoclesChat or even
-
@signalapp recipients who are not native English speakers may not notice the giveaways in this and similar scams.
@ExcelAnalytics @signalapp not only that, the entire concept of demaning a #PhoneNumber to use #Signal is inherently and irredeemably wrong to begin with!
-
@signalapp as careful as this message is, I think it could be improved. If someone goes to a web page and get phished by being asked to type it into the page, the message will not dter them because it's not someone "asking for the code".
I think the message should say something about where it's intended to be used.
-
"in a stunning development today, a random mastodon user showed they were able to take over Signal's Signal account. details of the hack remain unclear"
@benroyce @FQQD I know the details:
@signalapp are criminally incompetent like #EncroChat at best if not a #HoneyPot like #ANØM aka. #OperationIronside aka. #OperationTrøjanShield...
-
@FQQD @signalapp quick GET 'EM
-
@Lizette603_23 @signalapp Please stay kind and on topic, alright? Signal is open for feedback in their Discourse Forum.
@voxel @Lizette603_23 @signalapp they refuse to acknowledge that it's their failure by design…
-
@signalapp THERE IS NO LEGITIMATE REASON FOR #Signal TO DEMAND A #PhoneNumber (= #PII by circumstances if not mandatory doxxing to the governments aka. "#KYC")…
- so yes I do blame Signal because this attack vector is unique to #Signal's shittyness and would not exist with @monocles / #monoclesChat or even
cock.liof all places…
@kkarhan@infosec.space since i’ve started hosting services for people, i came to the conclusion that the only thing you will need is an email, and only when there is no other option to reach out to the user.
let’s make it clear to everyone: phone numbers should only be shared to people you trust and nobody else
- so yes I do blame Signal because this attack vector is unique to #Signal's shittyness and would not exist with @monocles / #monoclesChat or even
-
@voxel @Lizette603_23 @signalapp they refuse to acknowledge that it's their failure by design…
@voxel @Lizette603_23 @signalapp instead #Signal continues to peddle their #Shitcoin to this day…
https://www.youtube.com/watch?v=0DSGq9FQKU4 video via @techlore@social.lol / @techlore@techlore.tv / #TechLore
