NSA Warning—Check These iPhone, Android Message Settings (2025)

So, Signalgate is back, with reports that Secretary of Defense Pete Hegseth had just a brief respite from the original Signal controversy before becoming embroiled in a new, more personal one. Reports suggest he shared information with his wife and brother, which may or may not have been classified but was certainly sensitive.

As this furor hit the U.S., prompting another White House confidence statement and even “fears” that “Signal leaks make Pete Hegseth a top espionage target," there was another report that Signal was being exploited by Russia in its attacks on Ukraine, the same set of actors prompting the NSA’s message settings warning last month.

In the first instance, group chat invites were hijacked to link attacker devices to target accounts. This time, Signal — and WhatsApp — messages have been used by “multiple Russian threat actors” to aggressively target individuals and organizations with ties to Ukraine and human rights." Just as in the U.S., these consumer-grade platforms have been co-opted by security and defense personnel based on ease of use. That problem is no different for enterprises the world over, both public and private.

ForbesWhy You Should Never Call These Numbers On Your PhoneBy Zak Doffman

That warning comes courtesy of Volexity, which discovered the attacks tricking victims into sharing the URL strings created by Microsoft’s OAuth workflows, essentially letting an attacker copy those to their own device to access a target account. Doing this granted an attacker account access “to join attacker-controlled devices to Entra ID (previously Azure AD), and to download emails and other account-related data.”

There is no suggestion of any vulnerability with Signal or WhatsApp in this instance. Those messages just contained the phishing lures sent to targets, and the attackers found ways to make messages seem to originate from “officials from various European nations, and in one instance leveraged a compromised Ukrainian Government account.”

But it is a timely reminder for all users to check their message settings following the NSA’s warning and advisory in the wake of the original Russian Signal exploit and the original Signalgate. You should do this now, so you don’t forget.

As I advised at the time, the main “vulnerabilities” to check are Linked Devices and Group Links. The first syncs messages across your devices, phones, tablets, computers. The second is a simple way to send out group invites, albeit a more risky one.

ForbesWhatsApp Confirms How To Block Meta AI From Your ChatsBy Zak Doffman

“In Signal, disable the Group Link from within the group’s settings. In WhatsApp you don’t have that option, but do not use links for sensitive groups; you should also set sensitive groups in WhatsApp such that only Admins can add members.”

Linked Devices is a more dangerous issue for users and needs to be checked regularly. If a device you don’t recognize is linked to your account, you must remove it immediately. “In both apps there is a clear settings menu titled ‘Linked Devices’. Go there now and unlink any device you don’t 100% recognize as belonging to you. If in doubt, remove. You can always add it back later if you make a mistake. On both apps, your primary phone is the base and all other devices can be linked and unlinked there.”

The NSA’s other advice for messaging users is sensible housekeeping. Set and change PINs regularly, enable your screen lock, and don’t share status info beyond your contacts. You should also avoid being added to groups unless you accept and downloading media to your phone automatically.