A response to recent reporting in Germany, in service of clarity and accountability:
-
Because such a change results in de-registering your Signal accounts, attackers prepared people for this by telling them that being de-registered was intended behavior, and that all they would need to do is “re-register,” or, create a new account. When they moved to create a new Signal account — one that was now decoupled from their hijacked account — the victims thought they were logging back in to their primary account. 5/
As a result, many didn't notice the takeover. The compromised accounts were then weaponized to target the victims' contact lists by posing as the owners of the account. 6/
-
As a result, many didn't notice the takeover. The compromised accounts were then weaponized to target the victims' contact lists by posing as the owners of the account. 6/
We understand the trust that people put in Signal, and how devastating this kind of social engineering can be. While it’s true that all messaging platforms are susceptible to scammers and phishing that betrays people’s trust and convinces them to “unlock the front door” where no backdoor exists, we are looking to do everything we can to help people avoid and detect such scams. 7/
-
We understand the trust that people put in Signal, and how devastating this kind of social engineering can be. While it’s true that all messaging platforms are susceptible to scammers and phishing that betrays people’s trust and convinces them to “unlock the front door” where no backdoor exists, we are looking to do everything we can to help people avoid and detect such scams. 7/
For the time being, please stay vigilant against phishing and account takeover attempts. Remember that no one from Signal Support will ever send you a message request or ask for your registration verification code or Signal PIN. For an added layer of protection, you can enable Registration Lock in your Signal Settings (Account -> Registration Lock). 8/
-
A response to recent reporting in Germany, in service of clarity and accountability:
First, it’s important to be precise when it comes to critical infrastructure like Signal. Signal was not “hacked” — in that our encryption, infrastructure, and the integrity of the app’s code was not compromised. 1/
@signalapp it's hilarious how it gets framed as a hack when it's just the incompetence of a politician who was warned REPEATEDLY that this specific phishing attack is targeting high profile politicians and STILL fell for it
️
-
A response to recent reporting in Germany, in service of clarity and accountability:
First, it’s important to be precise when it comes to critical infrastructure like Signal. Signal was not “hacked” — in that our encryption, infrastructure, and the integrity of the app’s code was not compromised. 1/
@signalapp German politicians are not that much used to technology ^^
-
A response to recent reporting in Germany, in service of clarity and accountability:
First, it’s important to be precise when it comes to critical infrastructure like Signal. Signal was not “hacked” — in that our encryption, infrastructure, and the integrity of the app’s code was not compromised. 1/
-
For the time being, please stay vigilant against phishing and account takeover attempts. Remember that no one from Signal Support will ever send you a message request or ask for your registration verification code or Signal PIN. For an added layer of protection, you can enable Registration Lock in your Signal Settings (Account -> Registration Lock). 8/
@signalapp What credentials? not just a phone number presumably.
-
A response to recent reporting in Germany, in service of clarity and accountability:
First, it’s important to be precise when it comes to critical infrastructure like Signal. Signal was not “hacked” — in that our encryption, infrastructure, and the integrity of the app’s code was not compromised. 1/
@signalapp As you allude to, there has been a lot of misleading reporting about Signal being “hacked.” However, one substantial issue is worth mentioning: Signal asks users to enter their PIN from time to time. This can be switched off in the settings, but most users probably leave it enabled.
So while this is not Signal *Support* asking for your PIN, it is the Signal *App* asking. Less technically minded users may not clearly understand the difference.
-
@signalapp it's hilarious how it gets framed as a hack when it's just the incompetence of a politician who was warned REPEATEDLY that this specific phishing attack is targeting high profile politicians and STILL fell for it
️And those are the same people who decide about the deployment of shit like Palantir into our infrastructure.
-
For the time being, please stay vigilant against phishing and account takeover attempts. Remember that no one from Signal Support will ever send you a message request or ask for your registration verification code or Signal PIN. For an added layer of protection, you can enable Registration Lock in your Signal Settings (Account -> Registration Lock). 8/
@signalapp So, the Verify Your Pin so you don't forget it message I got few weeks ago is as bogus as I thought it was? Dumb question, but can I click on the message so I can remove it?
-
S simonjust@mstdn.dk shared this topic
-
For the time being, please stay vigilant against phishing and account takeover attempts. Remember that no one from Signal Support will ever send you a message request or ask for your registration verification code or Signal PIN. For an added layer of protection, you can enable Registration Lock in your Signal Settings (Account -> Registration Lock). 8/
@signalapp thanks for sharing this. This could have been a blog
-
A response to recent reporting in Germany, in service of clarity and accountability:
First, it’s important to be precise when it comes to critical infrastructure like Signal. Signal was not “hacked” — in that our encryption, infrastructure, and the integrity of the app’s code was not compromised. 1/
@signalapp appreciate the effort to combat scams!
social engineering will unfortunately always exist in some capacity but that reporting is particularly sloppy, framing a phishing campaign as compromised encryption
-
@signalapp What credentials? not just a phone number presumably.
@jtb Read the thread
-
@signalapp So, the Verify Your Pin so you don't forget it message I got few weeks ago is as bogus as I thought it was? Dumb question, but can I click on the message so I can remove it?
@signalapp in "Settings" -> "Account": "PIN reminders"
-
@jtb Read the thread
@davep @signalapp If they handed over verification code and pin then they would have to be seriously daft.
-
A response to recent reporting in Germany, in service of clarity and accountability:
First, it’s important to be precise when it comes to critical infrastructure like Signal. Signal was not “hacked” — in that our encryption, infrastructure, and the integrity of the app’s code was not compromised. 1/
@signalapp das Internet ist für uns alle Neuland…
-
@davep @signalapp If they handed over verification code and pin then they would have to be seriously daft.
@jtb It's how phishing / social engineering works. Not everyone is as clever as you.
-
@signalapp German politicians are not that much used to technology ^^
-
@signalapp So, the Verify Your Pin so you don't forget it message I got few weeks ago is as bogus as I thought it was? Dumb question, but can I click on the message so I can remove it?
@MFennVT @signalapp
if it was a signal message coming from another signal account in a *chat*, it is not real.
But it was probably not a message but a banner in the list of your chats, which is real, doesn't look like a chat and exists to make sure users don't forget their pin, as they cannot reset it without data loss when it is needed.
You can deactivate pin reminders, see here
https://support.signal.org/hc/de/articles/360007059792-Signal-PIN#pin_reminders -
And those are the same people who decide about the deployment of shit like Palantir into our infrastructure.
@Brynawel don't we all feel safe now
@signalapp
