The Digital Security Digest, by Freedom of the Press Foundation (FPF), is a weekly newsletter with security tips that keep you, your sources, and your devices safe. If someone shared this newsletter with you, please subscribe here.
Impersonator took over The Intercept’s Signal tipline username to solicit sources
Someone has been masquerading as The Intercept using the Signal username listed on its tip page, placing potential sources at substantial risk. We don’t know how long the Signal username was compromised, but according to Drop Site News, since at least February a social media account with the breached username in its bio and posts had solicited tips while posing as The Intercept. The account sought information and responded to lawmakers and federal officials roughly 100 times between April and May alone, offering the compromised username for outreach. During that time, the username remained posted on The Intercept’s tip page.
On June 30, The Intercept posted a new username to X, warning not to use its previous username. “If you want to contact The Intercept, please get in touch with our reporters individually or use the Signal account Theintercept_tips.01. Please do not use the username TheIntercept.01.” The outlet did not provide guidance to individuals who may have been in touch with the compromised username. Read more about the breach.
What you can do
While we have some strong context clues, we don’t know precisely how long The Intercept’s Signal tipline username was commandeered — potentially for months. We also don’t know what events led to the compromise of this username. But there is a very short list of things that could have gone wrong here, all of which are easily preventable.
You may lose access to your username (1) if you let your account lapse, (2) if you change it, or (3) if your phone number is hijacked, and it is then used to recover your Signal account. Here’s what you need to do to prevent these risks:
- Keep your Signal account active. Signal’s code suggests that accounts are automatically deactivated after 120 days, at which point you will also lose access to your username, allowing it to be registered by anyone else. As long as you open your Signal app every now and then, you should be fine.
- Try to keep your username. But if you change it, make sure everyone knows it. If you change your username, after about a week, someone else can snag it. This means someone else could potentially impersonate your organization. You therefore want to keep your tip page, social media presence, and potentially any other “source of truth” up to date with your newest contact information. However, this also has limits — for example, if you put your Signal username on business cards or if it appears in an old presentation on YouTube, there’s only so much you can do about that. So if you have spread your username around in public, the safest path is to maintain your old username whenever possible.
- Secure your phone number. This is a much less common risk, but attackers may be able to convince the telecom company that they are the rightful owner of your account, allowing them to take over your phone number. Such “SIM swapping” attacks are typically intended to conduct banking fraud or to steal digital currency. But these attacks could also be used to take over the phone number used to register your Signal account. If you haven’t done so already, work with your phone company to set an account PIN. If you use an app or the telecom’s website, this may appear in your account settings as a “port-out” or “SIM lock” PIN. If your phone provider has a retail presence, you can also typically set these PINs in person.
- Secure your Signal account with a PIN and Registration Lock. Even if someone gets ahold of your phone number, if you enable Registration Lock and a PIN, no one will be able to take over your Signal account without the correct PIN. Learn how to set up a PIN with Registration Lock.
- Maximize your Signal security settings. While you’re at it, there are several additional settings you can use to lock down Signal. Read our guide.
Our team is always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.
Best,
Martin
–
Martin Shelton
Deputy Director of Digital Security
Freedom of the Press Foundation




