A bombshell report from The Atlantic this week that revealed that U.S.
officials accidentally shared information about military airstrikes with a reporter has people around the world reeling. At the center of the revelation is the messaging app Signal.
So, what is Signal and how did apparently classified information end up being shared on it? Let’s find out.
What is Signal?
According to its website, Signal is a 501c3 nonprofit that powers private, secure messaging. In a 2018 blog post, founder Moxie Marlinspike (real name Matthew Rosenfeld, per Business Insider) announced the launch of this nonprofit, Signal Foundation and said it was “made possible by Brian Acton, the co-founder of WhatsApp.”
Acton said that he and Marlinspike began a project to add end-to-end encryption to WhatsApp beginning in 2013.
Marlinspike explained in his post that the goal behind signal was to prove that “private communication could be simple.” By the time he posted it, his team had already “built a service used by millions, and software used by billions,” he said.
“The stories that make it back to us and keep us going are the stories of people discovering each other in moments where they found they could speak freely over Signal, of people falling in love over Signal, of people organizing ambitious plans over Signal,” Marlinspike said. “When we ask friends who at their workplace is on Signal and they respond ‘every C-level executive, and the kitchen staff.’ When we receive a subpoena for user data and have nothing to send back but a blank sheet of paper. When we catch that glimpse of ‘Signal blue’ on a metro commuter’s phone and smile.”
Per a report this week from the BBC, Signal has an estimated 40-70 million monthly users.
How was Signal allegedly used by U.S. officials?
“The Trump Administration Accidentally Texted Me Its War Plans,” said the title of a Monday article from Editor-in-Chief Jeffrey Goldberg of The Atlantic. In it, he said that Secretary of Defense Pete Hegseth texted him war plans via Signal on the morning of March 15 regarding the U.S. bombing Houthi targets across Yemen.
Goldberg said others in the group chat included Vice President JD Vance, Secretary of State Marco Rubio, Director of National Intelligence Tulsi Gabbard, National Security Adviser Mike Waltz, and CIA Director John Ratcliffe.
Jacob Williams, a cybersecurity expert who has also done intelligence work for the U.S. government, joined KCBS Radio this week to discuss the app and its uses.
“It is really convenient in the sense that nobody can intercept, realistically, nobody can intercept your messages in transit,” he said of the app. “But of course, none of that matters if, for instance, you know, somebody gets added to a sensitive group or for that matter, if the data stored on one of your machines gets compromised somehow.”
That’s exactly what Goldberg said U.S. government officials have done. He has published screenshots of the messages that he found himself receiving by mistake and has refuted claims from President Donald Trump and Hegseth that war plans were not discussed on the chain.
“Weather is FAVORABLE. Just CONFIRMED w/CENTCOM we are a GO for mission launch,” Hegseth wrote in one message, apparently referring to U.S. attack plans against the Houthi targets in Yemen, according to The Atlantic.
“If this information – particularly the exact times American aircraft were taking off for Yemen – had fallen into the wrong hands in that crucial two-hour period, American pilots and other American personnel could have been exposed to even greater danger than they ordinarily would face,” said the outlet.
Hegseth has denied that he texted war plans, but Waltz has said that he’s accepted “full responsibility” for creating the group chat. He told Fox News that: “It’s embarrassing,” and that officials are working to get to the bottom of what happened.
Why were U.S. officials using Signal?
While Signal is known for its end-to-end encryption, that doesn’t necessarily mean it is a suitable platform for communicating about sensitive national security information.
“It’s been explicitly covered in cyber security training that you’re not allowed to put any non-public DoD information into Signal,” Williams said. “They explicitly call out Signal as a place you can’t put non- public information.”
He went on to explain that “realistically, all of our national security representatives have access to classified cell phones,” that are meant to be utilized for sharing the type of information described in The Atlantic.
“It’s worth mentioning here – not only that this is doubtlessly classified information, but separately, there are federal records-keeping requirements, and Signal doesn’t support any of those,” Williams told KCBS Radio.
CBS News military analyst Jeff McCausland has posited that “laziness” is one of the reasons why the information was shared on Signal. Williams said that could be the case, or that some of the people communicating prefer not to carry the classified cell phones.
“I think there’s also a side of it where, if you want to avoid government transparency – including potential Freedom of Information Act requests in the future – you put it on a platform where it’s never creating what the government considers an official record,” he added. “But to be very, very clear, some of the stuff that some of the messages that have been detailed, you know, by Goldberg… are very clearly… government records. And so, you know, there are multiple levels of issues here.”
What about reports of ‘vulnerabilities’ related to Signal?
Audacy reported this week that the National Security Agency had warned about vulnerabilities related to Signal around a month before Goldberg was mistakenly added to the group chat.
The internal documents about Signal from the NSA were titled “Signal Vulnerability” and though unclassified, they were intended for official use only. They were shared with CBS News by a senior U.S. intelligence official.
“A vulnerability has been identified in the Signal Messenger Application. The use of Signal by common targets of surveillance and espionage activity has made the application a high-value target to intercept sensitive information,” the internal bulletin said. Documents also warned that the app is vulnerable to Russian professional hacking groups employing phishing scams so they can gain access to encrypted conversations and said that while Signal and Whatsapp are allowed for certain “unclassified accountability/recall exercises,” they should not be used for communicating more sensitive information.
In a Tuesday X post, Singal appeared to respond to the reports about vulnerabilities related to the app.
“Right now there are a lot of new eyes on Signal, and not all of them are familiar with secure messaging and its nuances,” said the post. “Which means there’s misinfo flying around that might drive people away from Signal and private communications.”
It went on to say that some claims about vulnerabilities are “inaccurate” and that they appears to stem from reporting on a Pentagon advisory memo. Signal acknowledged that the memo used the term “vulnerability” in relation to the service but it “had nothing to do with Signal’s core tech,” and instead warned of phishing scams specifically targeted at Signal users.
As Williams explained, end-to-end encryption keeps conversations private, but it does not prevent users from sharing information with accounts that may be linked to scams… or to editors of major news outlets. According to its post, Signal has introduced new features such as in-app warnings to help reduce users’ risk of falling prey to phishing scams.
Has Signal responded to The Atlantic’s report?
Business Insider noted that Marlinspike joked about the situation in a Monday X post.
“There are so many great reasons to be on Signal. Now including the opportunity for the vice president of the United States of America to randomly add you to a group chat for coordination of sensitive military operations,” he said. “Don’t sleep on this opportunity…”