Their Signal account went dormant after not being used for a year. After that someone was able to claim the username for the account.
There isn’t much information about the breach or how it was discovered, but the article says this.
Signal user IDs associated with accounts that are left dormant are eventually recycled and made available to new users.
If you own a Signal account that you leave dormant from time to time, beware of this.
The Signal team need to fix this. I don’t claim to propose the best solution, but letting other users take over usernames of a dormant account is a mistake, and perhaps users who connect with someone using a potentially hijacked username ought to be alerted to verify the contact.
You do not own a Signal account if access can be automatically revoked by a third-party due to inactivity.
SimpleX would be a good option but Signal is popular with Journalists.
I assume the account itself wasn’t taken over but the associated username was deregistered and subsequently taken over by the third party.
When it comes to trust, the technical details do not really matter if people continue to assume that the hijacked account handle remains in possession of The Intercept.
I agree. Unsuspecting people will trust the third party as if they own the account that is actually owned by The Intercept.
Is this behaviour clearly indicated? It would be—to me—the responsibility of the outlets to promptly inform that the Signal tip line is no longer active.
On ownership, it seems a bit ridiculous to me that you would feel “ownership” (in the property sense, as in, “this is mine forever”) over an account (or in this case, just a username) that exists in someone else’s database. Even email services eventually turn over their inactive addresses.
This highlights a great life rule.
Never trust reporters.