Normal view

FBI Extracts Deleted Signal Messages from iPhone Notification Database

23 April 2026 at 13:05

404 Media reports (alternate site):

The FBI was able to forensically extract copies of incoming Signal messages from a defendant’s iPhone, even after the app was deleted, because copies of the content were saved in the device’s push notification database….

The news shows how forensic extraction—­when someone has physical access to a device and is able to run specialized software on it—­can yield sensitive data derived from secure messaging apps in unexpected places. Signal already has a setting that blocks message content from displaying in push notifications; the case highlights why such a feature might be important for some users to turn on.

“We learned that specifically on iPhones, if one’s settings in the Signal app allow for message notifications and previews to show up on the lock screen, [then] the iPhone will internally store those notifications/message previews in the internal memory of the device,” a supporter of the defendants who was taking notes during the trial told 404 Media.

EDITED TO ADD (4/24): Apple has patched this vulnerability.

Apple fixes iOS bug that kept deleted notifications, including chat previews

23 April 2026 at 12:27

Apple has released a software update that deals with an issue that could allow deleted notifications to be retrieved. Something that, in at least one reported case, was used by law enforcement during forensic analysis.

Apple fixed the issue in iOS and iPadOS versions 18.7.8 and 26.4.2 (check availability for your device at those links). The update deals with a singular security vulnerability, tracked as CVE-2026-28950.

Although the description is brief—“a logging issue was addressed with improved data redaction”—the impact points us in the right direction.

“Notifications marked for deletion could be unexpectedly retained on the device.”

This suggests that Apple’s bug was that iOS kept copies of notification content in an internal database for longer than intended, even after the messages “disappeared” or the app was uninstalled. In a case reported by 404 Media, law enforcement was able to recover those notifications using standard forensic tools once they had access to the unlocked device. The example in that reported case involved Signal.


Mobile protection, anywhere, anytime.


A response on X by Signal states:

“The FBI was able to forensically extract copies of incoming Signal messages from a defendant’s iPhone, even after the app was deleted, because copies of the content were saved in the device’s push notification database.”

Before we go into the update process, you may want to know that you can mute or hide notifications in Signal, which also protects them from prying eyes. In Signal, open your Settings and tap on Notifications. You can adjust several settings there. For example, I have mine set so I only see the name of the sender.

Install the update

For iOS and iPadOS users, you can check if you’re using the latest software version by going to Settings > General > Software Update. It’s also worth turning on Automatic Updates if you haven’t already. You can do that on the same screen.

Update settings on iPad
Update settings on iPad

Scammers know more about you than you think. 

Malwarebytes Mobile Security protects you from phishing, scam texts, malicious sites, and more. With real-time AI-powered Scam Guard built right in. 

Download for iOS → Download for Android → 

Apple fixes iOS bug that kept deleted notifications, including chat previews

23 April 2026 at 12:27

Apple has released a software update that deals with an issue that could allow deleted notifications to be retrieved. Something that, in at least one reported case, was used by law enforcement during forensic analysis.

Apple fixed the issue in iOS and iPadOS versions 18.7.8 and 26.4.2 (check availability for your device at those links). The update deals with a singular security vulnerability, tracked as CVE-2026-28950.

Although the description is brief—“a logging issue was addressed with improved data redaction”—the impact points us in the right direction.

“Notifications marked for deletion could be unexpectedly retained on the device.”

This suggests that Apple’s bug was that iOS kept copies of notification content in an internal database for longer than intended, even after the messages “disappeared” or the app was uninstalled. In a case reported by 404 Media, law enforcement was able to recover those notifications using standard forensic tools once they had access to the unlocked device. The example in that reported case involved Signal.


Mobile protection, anywhere, anytime.


A response on X by Signal states:

“The FBI was able to forensically extract copies of incoming Signal messages from a defendant’s iPhone, even after the app was deleted, because copies of the content were saved in the device’s push notification database.”

Before we go into the update process, you may want to know that you can mute or hide notifications in Signal, which also protects them from prying eyes. In Signal, open your Settings and tap on Notifications. You can adjust several settings there. For example, I have mine set so I only see the name of the sender.

Install the update

For iOS and iPadOS users, you can check if you’re using the latest software version by going to Settings > General > Software Update. It’s also worth turning on Automatic Updates if you haven’t already. You can do that on the same screen.

Update settings on iPad
Update settings on iPad

Scammers know more about you than you think. 

Malwarebytes Mobile Security protects you from phishing, scam texts, malicious sites, and more. With real-time AI-powered Scam Guard built right in. 

Download for iOS → Download for Android → 

FBI, CISA warn of Russian hackers hijacking Signal and WhatsApp accounts

24 March 2026 at 14:39

In a Public Service Announcement (PSA) the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) warn the public about ongoing Russian-linked phishing campaigns that aim to gain access to messaging accounts.

Earlier this month we wrote about a large‑scale phishing campaign aimed at hijacking Signal and WhatsApp accounts belonging to senior officials, military personnel, civil servants, and journalists.

Now the FBI and CISA have joined European intelligence services in warning that the same tactics are being used in a broader campaign targeting these commercial messaging apps. The goal is not to break end‑to‑end encryption, but to walk straight around it by stealing access to individual accounts.

In our previous article, we focused on warnings from the Dutch intelligence services AIVD and MIVD, which described how Russian state‑backed actors approached high‑value targets via Signal and WhatsApp, posing as “Signal Support”, “Signal Security Bot”, or similar. The PSA demonstrates how the same groups are now running global phishing campaigns against messaging app accounts, with evidence suggesting thousands of compromised accounts worldwide.

It’s important to reiterate that the attackers have not managed to break the apps’ end-to-end encryption. Instead, they are relying on social engineering to get a device added so they can eavesdrop on accounts.

The current targets include current and former US government officials, military staff, political figures, and journalists, but there is nothing to stop the same techniques being reused against businesses and everyday users.

So, while it’s tempting to dismiss this as a problem for diplomats and generals (and the agencies issuing these alerts do mention high‑profile targets first), the techniques scale very easily. Once playbooks like these are public, they tend to be copied by cybercriminals looking for new ways to steal money or accounts.

How to protect your accounts

As the PSA puts it:

“Phishing remains one of the most unsophisticated, yet effective means of cyber compromise, often rendering other protections irrelevant”

This calls asks for basic security measures:

  • Treat unsolicited messages from “Support” inside apps as suspicious by default. Legitimate support for apps like Signal and WhatsApp does not ask you, in a chat message, to send back verification codes, PINs, or passwords.​ If you receive a warning about account problems, do not follow links in the message. Open the app’s settings directly or visit the official website through other means.
  • Never share SMS verification codes or app PINs. SMS codes are there to prove that you control a phone number. Anyone who has the code can pretend to be you. App‑specific PINs or passcodes are there to protect account changes. Giving them away is like handing over the keys to your account. Consider anyone asking for them to be a scammer.
  • Be careful what you discuss and with whom. Both the Dutch and US advisories remind us that even with end‑to‑end encryption, some conversations are too sensitive for commercial chat apps.
  • Use the extra security features these apps offer. Enable options like registration lock, registration PIN and device‑change alerts so that your account cannot be silently re‑registered without an extra secret. Store your PIN in a password manager instead of choosing something easy to guess or reusing a common code, to reduce the chance of social engineering or shoulder‑surfing.
  • Another useful feature is disappearing messages. Short‑timer and disappearing messages reduce how much content is available if an attacker gets into a chat later, or if someone obtains long‑term access to a device or backup. They are not a complete solution, but they can limit the damage.

What to do if you think your account was hijacked

If you suspect an attacker has taken over your messaging account:

  1. Try to re‑register your number in the app immediately to kick out other devices.
  2. Revoke all linked devices and change any app‑specific PINs or lock codes.
  3. Warn your contacts that someone may have impersonated you and ask them to treat recent messages with caution.
  4. Review recent conversations for signs of data theft (for example, shared IDs, documents, or passwords that should now be considered exposed).
  5. Report the incident to the app provider and, where appropriate, to national reporting centers such as the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov or the relevant authority in your country.​

The sooner you act, the smaller the window in which attackers can exploit your account.


We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Signal and WhatsApp accounts targeted in phishing campaign

10 March 2026 at 12:19

Dutch intelligence services AIVD and MIVD warn that Russian state‑backed hackers are running a large‑scale campaign to break into Signal and WhatsApp accounts of high‑value targets.

The targets are said to be senior officials, military personnel, civil servants, and journalists. The attackers are not breaking end‑to‑end encryption or exploiting a vulnerability in the apps themselves. Instead, they rely on proven phishing and social engineering methods to trick users into handing over verification codes and PINs, or to add a malicious “linked device” to their account.

Last year we reported on GhostPairing, a method that tricks the target into completing WhatsApp’s own device-pairing flow, silently adding the attacker’s browser as an invisible linked device to the account.

In the cases reported by the Dutch intelligence services, the attackers contacted victims on Signal or WhatsApp while posing as “Signal Security Support Chatbot”, “Signal Support” or a similar official‑sounding account.

The message typically warns about suspicious activity or a possible detected data leak and instructs the user to complete a verification step to avoid losing data or having their account blocked.

Victims are then asked to send back the SMS verification code they just received and/or their Signal PIN.

If the victim complies, the attacker can register the account on a device they control and effectively take it over, receiving new messages and sending messages as the victim.

In a second variant, attackers abuse the “linked devices” feature (Signal’s and WhatsApp’s desktop or other secondary device function). Targets are pushed to click a link or scan a QR code that silently links the attacker’s device to the victim’s account. The victim keeps access as normal, but the attacker can now read along in real time without obvious signs of compromise.

These attacks are not new, but deserve a renewed warning because they rely entirely on human behavior, and understanding how they work makes them easier to stop. The methods used are not technically sophisticated and they can easily be copied by non‑state actors or ordinary cybercriminals.

Because of the current Russian campaigns, AIVD and MIVD say that chat apps such as Signal and WhatsApp are unsuitable for sharing classified, confidential, or otherwise sensitive government information, even though they technically support end‑to‑end encryption.

How to keep your conversations confidential

One specific warning for the targeted users is to use designated apps for sensitive information. Despite dedicated secure systems being available to many of them, some resorted to apps they already knew—Signal and WhatsApp. And to be fair, these apps are safe if you follow a few basic rules:

How to prevent and detect compromised accounts

  • Never share verification codes or PIN numbers. Your SMS verification code and PIN are only needed when you install or re‑register the app on a device. They are never legitimately requested in a chat. Any in‑app message, direct message (DM), email, or SMS asking you to send these codes back is a phishing attempt.
  • Do not trust “support” accounts in chat. Signal explicitly states that Support will never contact you via in‑app messages, SMS, or social media to ask for your verification code or PIN. Treat any “Signal Support Bot”, “Security Chatbot” or similar as malicious, block and report it and then delete the conversation.
  • Be cautious with links and QR codes in chat. Only scan QR codes or click device‑linking links when you yourself are in the app’s device‑linking menu and you initiated the process. If a message pushes you to “verify your device” or “secure your data” via a link or QR, assume it is part of this campaign.
  • Regularly review linked devices and group memberships. In Signal and WhatsApp, check the list of linked devices and remove anything you do not recognize. Also keep an eye out for strange group participants or duplicate contacts (for example “deleted account” or a contact that appears twice), which Dutch intelligence services mention as possible signs of account compromise.
  • Use built‑in hardening features. Enable options like registration lock, registration PIN and device‑change alerts so that your account cannot be silently re‑registered without an extra secret. Store your PIN in a password manager instead of choosing something easy to guess or reusing a common code, to reduce the chance of social engineering or shoulder‑surfing.

Use disappearing messages

Both Signal and WhatsApp support disappearing messages, and using them can meaningfully limit the impact of account compromise or device access (though they don’t prevent it completely).

Short‑timer and disappearing messages reduce how much content is available if an attacker gets into a chat later, or if someone obtains long‑term access to a device or backup. They are not a complete solution, but they can limit the damage.

Signal lets you set a per‑chat timer so that all new messages in that conversation auto‑delete from all devices after the chosen period.​ You can enable it for 1:1 or group chats and choose from various durations (seconds to weeks), and either party can see it is enabled and change the timer.​

WhatsApp also supports disappearing messages with timers per chat (and a default option for new chats). Messages can auto-delete after periods such as 24 hours, 7 days, or 90 days, and newer builds include shorter options like 1 or 12 hours.

You turn it on in the chat info under “Disappearing messages,” then pick the desired timer; only messages sent after enabling it are affected.

For particularly sensitive media or voice messages, WhatsApp also offers “view once”  photos, voice messages, and videos that can only be opened a single time before disappearing from the chat.

Enable multi-factor authentication

We’ve written a complete guide on setting up two-step verification on WhatsApp.

To set up two-factor authentication (2FA) on Signal, enable the Registration Lock feature, which requires your set PIN to log in on a new device. Open Signal, go to Settings > Privacy > Registration Lock and turn it on. This ensures that even if someone steals your SIM, they cannot access your account without your personal PIN.


We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Signal and WhatsApp accounts targeted in phishing campaign

10 March 2026 at 12:19

Dutch intelligence services AIVD and MIVD warn that Russian state‑backed hackers are running a large‑scale campaign to break into Signal and WhatsApp accounts of high‑value targets.

The targets are said to be senior officials, military personnel, civil servants, and journalists. The attackers are not breaking end‑to‑end encryption or exploiting a vulnerability in the apps themselves. Instead, they rely on proven phishing and social engineering methods to trick users into handing over verification codes and PINs, or to add a malicious “linked device” to their account.

Last year we reported on GhostPairing, a method that tricks the target into completing WhatsApp’s own device-pairing flow, silently adding the attacker’s browser as an invisible linked device to the account.

In the cases reported by the Dutch intelligence services, the attackers contacted victims on Signal or WhatsApp while posing as “Signal Security Support Chatbot”, “Signal Support” or a similar official‑sounding account.

The message typically warns about suspicious activity or a possible detected data leak and instructs the user to complete a verification step to avoid losing data or having their account blocked.

Victims are then asked to send back the SMS verification code they just received and/or their Signal PIN.

If the victim complies, the attacker can register the account on a device they control and effectively take it over, receiving new messages and sending messages as the victim.

In a second variant, attackers abuse the “linked devices” feature (Signal’s and WhatsApp’s desktop or other secondary device function). Targets are pushed to click a link or scan a QR code that silently links the attacker’s device to the victim’s account. The victim keeps access as normal, but the attacker can now read along in real time without obvious signs of compromise.

These attacks are not new, but deserve a renewed warning because they rely entirely on human behavior, and understanding how they work makes them easier to stop. The methods used are not technically sophisticated and they can easily be copied by non‑state actors or ordinary cybercriminals.

Because of the current Russian campaigns, AIVD and MIVD say that chat apps such as Signal and WhatsApp are unsuitable for sharing classified, confidential, or otherwise sensitive government information, even though they technically support end‑to‑end encryption.

How to keep your conversations confidential

One specific warning for the targeted users is to use designated apps for sensitive information. Despite dedicated secure systems being available to many of them, some resorted to apps they already knew—Signal and WhatsApp. And to be fair, these apps are safe if you follow a few basic rules:

How to prevent and detect compromised accounts

  • Never share verification codes or PIN numbers. Your SMS verification code and PIN are only needed when you install or re‑register the app on a device. They are never legitimately requested in a chat. Any in‑app message, direct message (DM), email, or SMS asking you to send these codes back is a phishing attempt.
  • Do not trust “support” accounts in chat. Signal explicitly states that Support will never contact you via in‑app messages, SMS, or social media to ask for your verification code or PIN. Treat any “Signal Support Bot”, “Security Chatbot” or similar as malicious, block and report it and then delete the conversation.
  • Be cautious with links and QR codes in chat. Only scan QR codes or click device‑linking links when you yourself are in the app’s device‑linking menu and you initiated the process. If a message pushes you to “verify your device” or “secure your data” via a link or QR, assume it is part of this campaign.
  • Regularly review linked devices and group memberships. In Signal and WhatsApp, check the list of linked devices and remove anything you do not recognize. Also keep an eye out for strange group participants or duplicate contacts (for example “deleted account” or a contact that appears twice), which Dutch intelligence services mention as possible signs of account compromise.
  • Use built‑in hardening features. Enable options like registration lock, registration PIN and device‑change alerts so that your account cannot be silently re‑registered without an extra secret. Store your PIN in a password manager instead of choosing something easy to guess or reusing a common code, to reduce the chance of social engineering or shoulder‑surfing.

Use disappearing messages

Both Signal and WhatsApp support disappearing messages, and using them can meaningfully limit the impact of account compromise or device access (though they don’t prevent it completely).

Short‑timer and disappearing messages reduce how much content is available if an attacker gets into a chat later, or if someone obtains long‑term access to a device or backup. They are not a complete solution, but they can limit the damage.

Signal lets you set a per‑chat timer so that all new messages in that conversation auto‑delete from all devices after the chosen period.​ You can enable it for 1:1 or group chats and choose from various durations (seconds to weeks), and either party can see it is enabled and change the timer.​

WhatsApp also supports disappearing messages with timers per chat (and a default option for new chats). Messages can auto-delete after periods such as 24 hours, 7 days, or 90 days, and newer builds include shorter options like 1 or 12 hours.

You turn it on in the chat info under “Disappearing messages,” then pick the desired timer; only messages sent after enabling it are affected.

For particularly sensitive media or voice messages, WhatsApp also offers “view once”  photos, voice messages, and videos that can only be opened a single time before disappearing from the chat.

Enable multi-factor authentication

We’ve written a complete guide on setting up two-step verification on WhatsApp.

To set up two-factor authentication (2FA) on Signal, enable the Registration Lock feature, which requires your set PIN to log in on a new device. Open Signal, go to Settings > Privacy > Registration Lock and turn it on. This ensures that even if someone steals your SIM, they cannot access your account without your personal PIN.


We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

❌