A Third Party Breached The Intercept’s Signal Tip Line and Has Been Soliciting Whistleblowers

Their Signal account went dormant after not being used for a year. After that someone was able to claim the username for the account.

4 Likes

There isn’t much information about the breach or how it was discovered, but the article says this.

Signal user IDs associated with accounts that are left dormant are eventually recycled and made available to new users.

If you own a Signal account that you leave dormant from time to time, beware of this.

The Signal team need to fix this. I don’t claim to propose the best solution, but letting other users take over usernames of a dormant account is a mistake, and perhaps users who connect with someone using a potentially hijacked username ought to be alerted to verify the contact.

3 Likes

You do not own a Signal account if access can be automatically revoked by a third-party due to inactivity.

1 Like

SimpleX would be a good option but Signal is popular with Journalists.

2 Likes

I assume the account itself wasn’t taken over but the associated username was deregistered and subsequently taken over by the third party.

1 Like

When it comes to trust, the technical details do not really matter if people continue to assume that the hijacked account handle remains in possession of The Intercept.

1 Like

I agree. Unsuspecting people will trust the third party as if they own the account that is actually owned by The Intercept.

1 Like

Is this behaviour clearly indicated? It would be—to me—the responsibility of the outlets to promptly inform that the Signal tip line is no longer active.

On ownership, it seems a bit ridiculous to me that you would feel “ownership” (in the property sense, as in, “this is mine forever”) over an account (or in this case, just a username) that exists in someone else’s database. Even email services eventually turn over their inactive addresses.

1 Like

This highlights a great life rule.

Never trust reporters.

1 Like