July 1, 2026, 12:35 pm | Read time: 3 minutes
The U.S. security agencies FBI and CISA (Cybersecurity and Infrastructure Security Agency) have updated their warning about ongoing phishing attacks targeting users of commercial messaging services, particularly Signal. The campaigns now focus on recovery keys for messenger backups. Sharing your recovery key can give attackers long-term access to your account and stored messages.
Several groups linked to Russian intelligence services continue to target individuals of particular interest for espionage, according to the FBI and CISA. These include current and former government officials from the U.S. and other countries, military personnel, politicians, journalists, and key figures in Ukraine. According to the agencies, individual user accounts have been compromised, but not the messaging services or their end-to-end encryption.
Attackers Target Backup Keys
The perpetrators send messages that appear to come from the customer service of the respective messenger provider. In addition to confirmation codes and security PINs, they are now also trying to obtain recovery keys for data backups.
If the perpetrators obtain a backup’s recovery key, they can access stored conversations and subsequently take over the affected account. According to the FBI and CISA, a disclosed recovery key remains usable even if the user later sets up a new account with the same phone number on the messenger.
Authorities Recommend Special Caution
To prevent further use of a compromised key, affected individuals should generate a new recovery key in their account settings. This will invalidate the previous key for future backups. However, already downloaded data backups cannot be retroactively protected this way.
For the Signal messenger, this works as follows:
- Open Signal and go to Settings.
- Select the Backups menu item.
- Create a new recovery key.
- Securely store the new key and replace the previous one.

Also of interest: FBI can’t bypass Apple’s lockdown mode on iPhone
The FBI and CISA also point out that legitimate support departments use only official email addresses. They would neither request confirmation codes in chat nor send links for account verification or recovery. According to the agencies, the campaigns have already enabled unauthorized access to thousands of messenger accounts. Attackers were able to view messages and contact lists, send messages in the victims’ names, and prepare further phishing attacks. German politicians have also been targets of such attacks. Among those affected is Bundestag President Julia Klöckner. Her case became known in April.