In recent years, the Signal messaging app has become a newsroom staple, enabling journalists, colleagues, sources, and others to speak to one another securely with end-to-end encryption. This means no one except those in conversation — not even the service provider — can read your messages or listen in on your calls. Journalists use it individually, and we also see a trend toward using organizational Signal tiplines.

But it’s important to understand this is not a ”set it and forget it” decision. When talking to sensitive contacts, you do need to maintain your account to ensure it is safe and does not fall into the wrong hands.

Imagine if someone took over your Signal account. They could impersonate you, causing reputational damage, or worse, putting sources at risk. Unfortunately, this is not a hypothetical. We have seen at least one public example (and some less public) where newsrooms have lost access to Signal identifiers, sometimes leading to abuse.

There are a few simple things journalists can do to maximize the safety of their Signal account.

Basic account safety and identity risks

The default settings on Signal are quite strong. But a motivated attacker could still try to impersonate you, similar to phishing emails, by creating a similar-looking username, or perhaps even take over your account. So it’s important that you maintain your account security and make it easy for people to find accurate information about how to contact you.

When you sign up for Signal, you need to register your account with your phone number. Afterward, you may optionally use a username. If you lose access to your account, be aware that someone else may take over your username.

In more rare circumstances, it is also possible to take over your phone number and register your account. So if this is an important presence on Signal, you’ll want to follow some steps listed below to ensure you maintain both your phone number and username.

The core risks concern:

  • What happens if you don’t sign in?
  • What happens if you change your username?
  • What happens if you lose your phone number?
  • What are the trade-offs between phone numbers and usernames?

If you don’t log into your Signal account, it will be deactivated. So sign in

Signal’s code suggests that after 120 days without activity in the app, your account will be deactivated. At that point, you will cede your username. The account is also recoverable to someone who has access to your phone number.

The solution is simple: Log into your account. If you do so at least every four months, you should be fine. We always encourage newsrooms to keep the primary device (typically a phone) up to date. Don’t put these devices in a drawer and forget about them. They need to be maintained. Read our guide to mobile maintenance.

If you change your username, someone else can claim it. Keep it when possible

When you change your username, it will be available for someone else to claim after about one week. This may not be a problem if you don’t post your handle publicly. However, if you publicize your username, you should ideally keep it for as long as possible to prevent someone else from claiming it.

If you do decide to change your username, be sure to reflect this change on any “source of truth” for how to contact you (e.g., your personal website, byline, social media bio, or tip page). This is not perfect; you may not be able to update your identifier everywhere, such as on business cards. The simplest way forward is to keep your username for the long haul.

If someone takes over your phone number, they may claim your account. Lock them out

Perhaps you didn’t pay your phone bill for a while, and the phone company decides to withdraw access. That means someone can commandeer your phone number. As mentioned above, if you keep logging in to your Signal account, you will still have access to it. But if that account lapses, they will also be able to re-register your Signal.

A more remote possibility is for someone to forcibly take over your phone number. A “SIM swapping” attack is when a bad actor convinces a phone provider that they are one of the rightful owners of your account, allowing them to port your phone number to their phone. You can make their job much, much harder by enabling a PIN on your telecom provider’s account. You can typically enable a PIN under your settings as a “port-out” or “SIM lock” PIN. Learn how to enable SIM locking settings here.

Even if someone does manage to snag your phone number, you can still lock them out on Signal by adding a Signal PIN and preventing them from registering your account without it. To learn how to enable a Signal PIN and Signal’s Registration Lock feature, read our guide.

As identifiers, phone numbers and usernames both have risks. We still recommend a username

If you use your phone number as your identifier on Signal, your sources and other potentially sensitive contacts may add that to their phone contact list, where it may be uploaded to Google Drive, iCloud, or other cloud service providers that are vulnerable to legal requests.

By comparison, if someone reaches out through your username, there’s no need for anyone to save any information about you in their “Contacts” app. This is all handled by Signal. The trade-off is that you will need to maintain this username to prevent the risk of impersonation, because if you lose this username, anyone can claim it.

By comparison, it’s much harder to steal your phone number. Both for your privacy and to minimize risk to sources, on balance, we would still recommend actively maintaining your account with a username.

To learn more, read our guide to locking down Signal. And if you are a journalist in need of more support, reach out to our digital security training team.