The encrypted messaging app Signal is receiving renewed attention after high-level members of President Donald Trump’s administration inadvertently added a journalist to a group chat discussing military action in Yemen.
Questions about the security of Signal, which is widely regarded as the gold standard for encrypted communications, have also been raised after a Pentagon briefing titled “Signal Vulnerability” was shared by NPR just days later.
The Pentagon-wide advisory—which cautioned employees not to use the app for work discussions, even if unclassified—stated that a “vulnerability has been identified in the Signal Messenger Application.”
“Please note: third party messaging apps (e.g. Signal) are permitted by policy for unclassified accountability/recall exercises but are NOT approved to process or store nonpublic unclassified information,” the memo, dated March 18, said.
The alleged vulnerability concerned phishing attacks, attributed by Google to the Russian government, aimed at high-profile users of Signal.
The memo, as well as a report from Axios on Tuesday detailing how members of a California delegation group chat on Signal were targeted months back by an account posing as California Gov. Gavin Newsom (D), has many asking whether Signal is as safe as it’s portrayed to be.
Rep. Huffman, underscoring how unsecured Signal is, shared with @Axios how, two months ago, members of the Calif. delegation were targeted by an apparent scammer purporting to be Newsom.
— Andrew Solender (@AndrewSolender) March 25, 2025
No members “went all the way,” he said, but some “came close.” https://t.co/eWWD5LxWiG pic.twitter.com/USk7Yu7xbJ
Does Signal have a vulnerability?
The so-called vulnerabilities mentioned regarding Signal are not with the app or its security. Instead, the issues are related to what is always the weakest link with any digital communications: people.
As with any security-focused app, the security is only as robust as the person using it. Signal is designed to encrypt your communications on the wire, meaning anyone attempting to intercept them as they travel from one device to another will only receive encrypted gibberish.
But if an individual’s message is exposed when it reaches and decrypts on their phone, either by sophisticated phone-monitoring malware or something as simple as someone peering over your shoulder, there is nothing Signal can do.
In a lengthy post to X, Signal addressed this issue by pushing back on the Pentagon’s use of the term “vulnerability.”
“One piece of misinfo we need to address is the claim that there are ‘vulnerabilities’ in Signal. This isn’t accurate,” Signal wrote. “Reporting on a Pentagon advisory memo appears to be at the heart of the misunderstanding. The memo used the term ‘vulnerability’ in relation to Signal—but it had nothing to do with Signal’s core tech. It was warning against phishing scams targeting Signal users.”
And while likely classified information regarding war plans probably shouldn’t have been discussed by Trump’s officials on Signal, the group could have taken multiple steps to protect against the exposure, such as checking the identities of everyone in the group and confirming those identities with Signal’s safety number feature.
It’s also important to remember that not everyone faces the same threats. Government officials are at risk of having their phones targeted with sophisticated hacking tools, whereas the average Signal user is not.
As with any security tool, knowing its capabilities is just as important as knowing its weaknesses. In other words, Signal remains the gold standard for encrypted communications, but make sure you know how to properly use it first.
Internet culture is chaotic—but we’ll break it down for you in one daily email. Sign up for the Daily Dot’s web_crawlr newsletter here. You’ll get the best (and worst) of the internet straight into your inbox.
