It's probably not the kind of publicity the makers of the excellent Signal messaging app would like, but the leak of the war plans against the Houthis in Yemen by the Trump administration is quite spectacular.
For reasons nobody can understand, the editor in chief of The Atlantic, Jeffrey Goldberg, was added to a group chat over Signal, called the "Houthi PC small group". Goldberg watched with disbelief as messages from United States secretary of defence Pete Hegseth, vice president JD Vance and other top government officials flew by, discussing American plans to bomb the Houthi militants that continue to threaten and attack shipping in the Red Sea.
"This is going to require some explaining," Goldberg wrote in The Atlantic.
It surely will, and what a scoop for Goldberg. Some members of the social media commentariat have suggested that adding Goldberg to the group chat was intentional, so as to cleverly push a narrative out there. That kind of four dimensional chess seems implausible, and human error is the most likely reason for the leak.
It's important to note that this is not a security breach of Signal. It's a strongly end-to-end encrypted (E2EE) messaging and communications app, which is highly regarded and considered very secure. Furthermore, Signal is free to use (although you should donate to help keep it going), and the organisation behind is a not-for-profit.
I wouldn’t say that Will and I are battling but I do disagree. Because there are big differences between Signal and WhatsApp.
— Meredith Whittaker (@mer__edith) March 25, 2025
Signal is the gold standard in private comms. We’re open source, nonprofit, and we develop and apply e2ee and privacy preserving tech across our system… https://t.co/ZU60z2vVHy
No software or the environment the code runs in - like smartphones and computers - is perfect, free of bugs and absolutely secure. An information security professional acquaintance, who refused to drive new cars with any form of connectivity for the longest time, pointed to the Signal Desktop app as the messaging system's potential weak spot
Confirming that some Signal users are targeted, in February this year, Google's Threat Intelligence security researchers said they were looking at cases of Russia-aligned hackers attempting to abuse the messaging app's linked devices feature. That feature allows Signal to be used across multiple devices, and attackers have used specially crafted malicious QR codes to get an eavesdropping position in the messaging chain.
Signal is by all indications as good as it gets for secure communications. The bizarre thing is why Signal on smartphones was used in the first place for the highly sensitive matter, instead of people meeting in a secure room. The alleged use of disappearing messages is perhaps one reason but that opens up an official records can of worms.
Nevertheless, as any security expert will tell you, someone could shoulder surf and read messages (Goldberg said he was parked at a supermarket at the time); or, your phone could get stolen, and there's always some possibility that the device could be unlocked.
In other words, messaging app security can easily be undone by the humans using them. No fancy hacking needed.
Even experts get phished
You might be familiar with Troy Hunt over in Australia. He runs the Have I Been Pwned free site that keeps track of data breaches, and lets you check if your email's in one of the very many hacks and leaks that occur regularly. It's a great service.
Long story short, a jetlagged Troy clicked on a link in email, and got phished in a fully automated fashion.
The attacker got hold of a mailing list of addresses from well-known message sender Mailchimp used by Troy who is, as you can imagine, kicking himself for clicking. Read the detailed post-mortem linked to above, and you'll quickly realise that when security experts like Troy can fall for phishing attempts then anyone can.
I've been worrying about that for a while now and it's not a matter of anyone being stupid.
We're conditioned to click and tap on links in emails for a range of purposes, and at some point you might get a bad URL under your cursor or finger. Add to that, as Troy points out, today's phishing messages can be very well-crafted, and try to scare users to take action quickly without carefully thinking through what they're doing.
There's no easy answer here, but definitely look into becoming more phishing resistant. Troy has some interesting things to say about using passkeys, which are supported by Apple, Google, Microsoft and others, and part of the FIDO2 and WebAuthn standards.
Passkeys mean no more password authentication, and you can't be tricked into revealing that secret by attackers. They are also easy to use, which is very important as convoluted security measures put people off from using them. Even seemingly simple things like making sure you use a unique password for each account you set up falls apart when have to memorise hundreds of different ones. People often reuse passwords on multiple sites, leading to credential stuffing attacks.
They're again not perfect and you have to, for example, make sure that you don't get locked out if you lose the device the passkeys were created on. But passkeys and other types of multi-factor authentication go a long way when it comes to being phishing resistant, and trust me, you need to be that nowadays.
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.