Can Signal be hacked? Everything you need to know

You’ve probably heard that Signal is one of the most secure messaging apps available.

And you’re right to think that.

But here’s the thing—no app is completely hack-proof. While Signal’s encryption has never been publicly cracked, there are other ways your messages could be compromised.

In this guide, we’ll walk you through everything you need to know about Signal’s security. We’ll explain how the app protects your conversations, the real ways Signal users get hacked, what police can and can’t access, and most importantly—how to lock down your account today.

Can Signal Be Hacked?

Short answer: No one has ever publicly cracked Signal’s encryption.

The Signal Protocol that protects your messages has been analyzed by security researchers and consistently proven to be secure.

When authorities have served Signal with warrants, the company has shown it can provide almost no useful data—just basic info like when your account was created and when you last connected.

But here’s the catch.

When people say their Signal account was “hacked,” it’s almost never because someone broke the encryption. Instead, attackers target your device, steal your phone number, or trick you into linking your account to their device.

Think of it this way: Signal is like a vault with an unbreakable lock. But if someone steals the key from under your doormat or tricks you into letting them inside, the vault’s security doesn’t matter.

How Signal Keeps Your Messages Private

Before we dive into the risks, let’s understand what makes Signal so secure in the first place.

End-to-End Encryption

Every message you send through Signal is protected by end-to-end encryption. This means only you and the person you’re messaging can read what’s sent.

Not even Signal can see your conversations.

The app uses something called the Double Ratchet algorithm to constantly rotate encryption keys. Even if someone somehow captured one key, they couldn’t decrypt your other messages.

In 2023, Signal added post-quantum protection to defend against future quantum computers that could potentially break current encryption. In 2025, they upgraded this protection even further.

Minimal Metadata Collection

Here’s where Signal really stands out from other messaging apps.

Most messaging services collect and store lots of information about you—who you talk to, when you message them, how often you communicate. This metadata can reveal a lot about your life, even if the actual message content is encrypted.

Signal collects almost nothing.

Thanks to a feature called Sealed Sender, even the sender information is hidden from Signal’s servers during transmission. The company doesn’t store your contact list, conversation list, or message history.

When law enforcement agencies have served Signal with search warrants, the company has consistently shown it simply doesn’t have much data to hand over.

Phone Number Privacy & Usernames

In February 2024, Signal introduced a game-changing feature: usernames and phone number privacy.

Now you can:

• Hide your phone number from everyone by default.
• Share a username instead.
• Connect with people via QR codes without exposing your number.

This directly reduces the risk of someone targeting you through your phone number.

The Real Ways Signal Users Get Hacked

Let’s get specific about the actual threats you need to worry about.

1. Device Spyware

This is the biggest threat to Signal users today.

If someone installs spyware on your phone, they can read your Signal messages after they’re decrypted on your device. The encryption doesn’t matter because they’re reading the messages on your screen.

Commercial spyware like NSO Group’s Pegasus has been used to target activists, journalists, and political figures. These tools can silently compromise phones and capture everything—including Signal conversations.

Signs your phone might have spyware:

• Battery draining faster then usual.
• Phone gets hot when you’re not using it.
• Someone knows details of your private conversations
• Unexpected data usage.
• Unknown apps installed.

How to protect yourself:

Keep your operating system updated. Apple and Android regularly patch security vulnerabilities that spyware exploits.

Run regular security scans with Certo AntiSpy. It can detect hidden spyware, keyloggers, and tracking apps that might be monitoring your Signal conversations. The scan only takes a few minutes and gives you peace of mind that your device is clean.

If you’re at high risk (journalist, activist, public figure), consider enabling iOS Lockdown Mode or Android Advanced Protection. These features disable certain functionalities that spyware commonly exploits.

Fig 1. Certo AntiSpy for Android detecting spyware.

2. Account Takeovers During Registration

Remember how we said you need a phone number to register for Signal? That’s a potential vulnerability.

If an attacker gains control of your phone number, they can register it on their own device and take over your Signal account.

Here’s how account takeover attacks work:

1. An attacker uses a SIM-swap attack to steal your phone number.
2. They register your number with Signal on their device.
3. They intercept the SMS verification code.
4. They now control your Signal account.

Once they’re in, you’re locked out—and they can see new messages sent to you (though they won’t have access to your previous message history since Signal doesn’t store it on servers).

The 2022 Twilio incident

This risk became very real in 2022 when Twilio—Signal’s SMS verification provider—was breached by hackers. About 1,900 users had their phone numbers exposed, and one account was actually re-registered on a different device.

This incident highlights just how vulnerable phone numbers can be as an authentication method.

How to protect yourself:

Enable Registration Lock with a Signal PIN. This prevents anyone from registering your number on a new device without your secret PIN—even if they have access to your SMS codes.

Here’s how to set it up:

1. Open Signal and tap your profile picture.
2. Go to Settings > Account.
3. Tap Signal PIN.
4. Create a PIN you’ll remember (write it down somewhere safe).
5. Enable Registration Lock.

3. Linked Devices Phishing

This is a newer attack that’s becoming more common.

Signal lets you link your account to desktop computers and other devices by scanning a QR code. It’s convenient—but attackers have figured out how to abuse this feature.

In 2025, security researchers warned that state-aligned actors were tricking people into scanning malicious QR codes. Once the attacker’s device is linked, they can:

• Read all your messages in real-time.
• See who you’re talking to.
• Access your conversation history.

And you might never notice.

How this attack works:

An attacker sends you a fake message that looks like it’s from Signal, asking you to “verify your account” or “enable a new security feature” by scanning a QR code. When you scan it, you’re actually linking their device to your account.

How to protect yourself:

• Never scan a QR code to link a device unless you initiated the process yourself.
• Treat “link device” prompts like password requests—be suspicious.
• Regularly audit your linked devices (we’ll show you how below).

4. Desktop Risks

Signal Desktop is convenient, but it’s not as secure as your phone.

The desktop app stores an encrypted database of your messages, but the decryption key is stored locally on your computer so the app can access your messages. If your computer gets compromised by malware, an attacker might be able to access this database.

This isn’t a flaw in Signal—it’s just the reality of how desktop apps work.

How to protect yourself:

• Use full-disk encryption on your computer (FileVault on Mac, BitLocker on Windows).
• Keep your operating system and security software updated.
• Only install Signal Desktop on computers you fully control.
• Log out when you’re not using it.
• On Windows, leave Screen Security enabled to block screenshot tools like Microsoft Recall.

How to Secure Your Signal Account

Let’s get practical. Here are the most important Signal security settings you should configure right now:

1. Registration Lock + PIN

What it does: Prevents anyone from registering your number on a new device without your PIN—even if they steal your SIM card.

How to enable:

1. Tap your profile picture > Settings > Account.
2. Tap Signal PIN.
3. Create a memorable PIN.
4. Enable Registration Lock.

Fig 2. Turning on Registration Lock.

2. Phone Number Privacy

What it does: Hides your phone number from people you message.

How to enable:

1. Tap your profile picture > Settings > Privacy.
2. Tap Phone Number.
3. Select Nobody.

Fig 3. Switching phone number privacy to Nobody.

3. Safety Number Verification

What it does: Lets you confirm you’re actually talking to the right person, not an imposter.

How to use:

1. Open a conversation.
2. Tap the contact’s name at the top.
3. Tap View Safety Number.
4. Compare the number with your contact (in person or via video call).
5. Mark as verified if they match.

Fig 4. Checking a contact’s Safety Number.

4. Always Relay Calls

What it does: Hides your IP address during calls.

How to enable:

1. Tap your profile picture > Settings > Privacy.
2. Tap Advanced.
3. Enable Always relay calls.

Fig 5. Turning on Relay Calls.

5. Disappearing Messages

What it does: Automatically deletes messages after a set time period.

How to enable:

1. Tap your profile picture > Settings > Privacy.
2. Tap Disappearing Messages.
3. Set a default timer for new chats.

Fig 6. Enabling Disappearing Messages.

Important note: Disappearing messages won’t protect you if someone takes a screenshot. But they do reduce how much data is stored if your device gets seized.

6. Screen Security (Windows)

What it does: Blocks system screenshots from features like Microsoft Recall.

How to check:

1. Open Signal Desktop on Windows.
2. Go to Settings > Privacy.
3. Ensure Screen security is enabled.

7. Audit Linked Devices

What it does: Shows you all devices connected to your Signal account.

How to check:

1. Tap your profile picture > Settings.
2. Tap Linked devices.
3. Remove any you don’t recognize.

Do this regularly—at least once a month if you regularly use Signal for sensitive conversations.

Fig 7. Checking Linked Devices for any unrecognized accounts.

What About the Future?

Signal isn’t standing still when it comes to security.

Post-Quantum Cryptography

In 2023, Signal introduced PQXDH—a post-quantum extension to their encryption protocol. This protects against “harvest now, decrypt later” attacks, where adversaries collect encrypted messages today hoping to decrypt them once quantum computers become powerful enough.

In 2025, Signal announced SPQR (Sparse Post-Quantum Ratchet), which extends quantum resistance even further throughout your conversations.

What this means for you:

As long as you keep Signal updated, you’re automatically protected against future quantum threats. You don’t need to do anything special.

Wrapping Up

Signal’s encryption hasn’t been cracked, and it remains one of the most secure messaging platforms available.

But security isn’t just about encryption—it’s about the whole system.

Your device is the weak point. Spyware, phishing attacks, SIM swaps, and social engineering are the real threats you need to defend against.

The good news? Most attacks can be prevented with a few simple steps: enable Registration Lock, use a strong device passcode, audit your linked devices regularly, and keep your operating system updated.

If you’re ever concerned your device might be compromised, run a scan with Certo AntiSpy. It only takes a few minutes to get peace of mind.

Stay safe out there.

Frequently Asked Questions (FAQs)

Can Signal be hacked by police?

Not by breaking Signal’s encryption. Law enforcement typically accesses Signal content by getting into the phone itself—using the owner’s passcode, device exploits, or after physical seizure.

When police serve Signal with warrants, they only receive minimal data: account creation date and last connection time.

To protect yourself, use a strong device passcode, enable Registration Lock with a PIN, keep your OS updated, audit linked devices regularly, and use disappearing messages for sensitive conversations.

Can Signal video calls be hacked?

The call stream itself is end-to-end encrypted, so intercepting it on the network won’t reveal any content. The realistic risks are:

1. Device compromise – Spyware on your phone can record your microphone and camera regardless of encryption.
2. IP address exposure – Peer-to-peer calls reveal your IP address to the other person (enable “Always relay calls” in Settings > Privacy to prevent this).

To stay safe, keep your device clean of malware, consider using Always Relay Calls for maximum privacy, and avoid answering calls from unknown or suspicious contacts.

Is Signal safer than WhatsApp or iMessage?

Signal collects significantly less metadata than both WhatsApp and iMessage. While all three use end-to-end encryption for messages, FBI documents show that WhatsApp and iMessage can provide much more information to authorities—including who you talk to and when.

Signal’s Sealed Sender feature also hides sender information during transmission. Additionally, Signal is open-source, meaning security researchers can verify its claims. For maximum privacy, Signal is generally considered the strongest option.

Can hackers see my Signal messages?

Hackers cannot break Signal’s encryption to read your messages in transit. However, they can access your messages if they:

• Install spyware on your device.
• Steal your unlocked phone.
• Successfully perform a SIM-swap attack to take over your account.
• Trick you into linking their device to your account.

The best defense is device security—keep your phone updated, use a strong passcode, enable Registration Lock, and regularly check for linked devices you don’t recognize.

Does Signal notify you when someone logs in?

Yes and no. Signal will notify you when a new device is linked to your account—you’ll see a notification that “a new device has been linked.” However, if someone registers your number on a new device (through account takeover), you’ll be logged out of your existing device and should notice you can’t access your account.

This is why Registration Lock is so important—it prevents this type of account takeover even if someone gets your SMS verification code.