TeleMessage data breach exposes modified messaging apps used by U.S. officials
Learn More
A security breach at TeleMessage has exposed US confiidential communications. TeleMessage is an Israeli firm specializing in modified versions of popular messaging applications used by U.S. government agencies and high-ranking U.S. officials. The attack has raised national security concerns.
A hacker claims to have successfully breached TeleMessage's systems, reportedly completing the intrusion in just 20 minutes. The compromised server was identified as being hosted on Amazon AWS cloud infrastructure in Northern Virginia, a claim verified by 404 Media through technical analysis of the modified Signal app's code and direct HTTP requests to the server.
The stolen data reportedly includes:
- Contents of direct messages and group chats sent using TeleMessage's modified versions of Signal
- Similar message content from modified versions of WhatsApp, Telegram, and WeChat
- Names, phone numbers, and email addresses of approximately 747 Customs and Border Protection (CBP) officials
- Contact information of current and former Coinbase employees
- Backend credentials
- Debug data containing fragments of live, unencrypted messages
- Discussions related to Galaxy Digital and U.S. Senate bill deliberations
The nature of the attack and number of affected individuals is not disclosed.
The breach occurred shortly after National Security Advisor Mike Waltz accidentally revealed he was using TeleMessage's modified version of Signal during a cabinet meeting with President Trump.
The authenticity of the breach was verified by 404 Media, who contacted CBP officials listed in the stolen data.
TeleMessage has suspended all services after the claims of the hackers. A spokesperson for Smarsh, the company that owns TeleMessage, said Monday that the company “is investigating a potential security incident. Upon detection, we acted quickly to contain it and engaged an external cybersecurity firm to support our investigation. Out of an abundance of caution, all TeleMessage services have been temporarily suspended.”
Update - as of 7th of May 2025, more details emerged about the flaws in TeleMessage. Apparently TeleMessage's site was improperly configured, exposing users' unencrypted credentials to the public without requiring any hacking techniques. According to investigative reports, the issue appears to originate from a "Sign Up" page where user credentials were improperly displayed in unencrypted URLs when users logged in and out of the service. This misconfiguration has reportedly been present for years, making sensitive information publicly accessible.
Additionally, on May 1, 2025, the same day the app was reported to be used by Mike Waltz, the National Institute of Standards and Technology (NIST) reported a vulnerability in the Gravity Forms plugin used on the TeleMessage website. This vulnerability "makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."
As of 19th of May, the incident is reported to be caused by a vulnerability tracked as CVE-2025-47729. It allowed attackers to access plaintext chat logs from what was supposed to be an end-to-end encrypted messaging system. The vulnerability stemmed from TeleMessage's implementation of messaging archive functionality. The TeleMessage archiving backend stored cleartext copies of messages from TM SGNL (also known as Archive Signal) users. Following the breach, pro-transparency organization Distributed Denial of Secrets (DDoSecrets) published 410 gigabytes of data obtained from TeleMessage's systems.
