The FBI’s extraction of deleted Signal messages had nothing to do with Signal — its security was intact. Instead it exploited the way in which iPhone stores notifications on a device. If you set Signal or WhatsApp or any other platform’s notifications to show the sender and a preview of the content, that data is at risk. Change your messaging and notification settings if that concerns you.
The other key vulnerabilities relate to messaging accounts — including the scourge of WhatsApp account hijacks — and multi-device access. If you’re tricked into sharing a security code or adding an attacker’s phone to your WhatsApp or Signal account, through a rogue link or QR code, they can eavesdrop on everything. You can — and should — check linked devices in your app to ensure all is as expected.
Per the FBI’s warning, despite end-to-end encryption remaining fully intact, this latest hacking campaign “resulted in unauthorized access to thousands of individual (messaging) accounts. After compromising an account, malicious actors can view the victims’ messages and contact lists, send messages.” While the bureau says on this occasion, “the threat actors specifically targeted Signal accounts,” they can “apply similar methods” against other messaging apps.
End-to-end encryption is fine, despite noisy posts from Elon Musk and others. But that end-to-end encryption does not in itself protect you. Your security is only as good as the phone you use — and the people you message.
End-to-end encryption (E2EE) is widely considered the gold standard for digital privacy, ensuring that only the sender and recipient can read messages. However, “Are you sure?” is a valid question because while the transmission is secure, the endpoints (the phones themselves) and metadata can still be vulnerable.
E2EE works as advertised for protecting message content from eavesdropping. However, it does not make you immune to user-level risks, compromised device security, or metadata sharing.