A screengrab of a page from a Pentagon-wide memo warning against using the messaging app Signal.
NPR
Several days after top national security officials accidentally included a reporter in a Signal chat about bombing Houthi sites in Yemen, a Pentagon-wide advisory warned against using the messaging app, even for unclassified information.
“A vulnerability has been identified in the Signal messenger application,” begins the department-wide email, dated March 18, obtained by NPR.
The memo continues, “Russian professional hacking groups are employing the ‘linked devices’ features to spy on encrypted conversations.” It notes that Google has identified Russian hacking groups who are “targeting Signal Messenger to spy on persons of interest.”
Moreover there was a memo in 2023 obtained by NPR warning of using Signal for using any non-public official information.
A Signal spokesman said the Pentagon memo is not about the messaging app’s level of security, but rather that users of the service should be aware of so-called “phishing attacks.” That’s when hackers try to gain access to sensitive information through impersonation or other deceptive tricks.
“Once we learned that Signal users were being targeted, and how they were being targeted, we introduced additional safeguards and in-app warnings to help protect people from falling victim to phishing attacks. This work was completed months ago,” said Signal spokesman Jun Harada.
The March 18, 2025 Pentagon memo adds, “Please note: third-party messaging apps (e.g. Signal) are permitted by policy for unclassified accountability/recall exercises but are not approved to process or store non-public unclassified information.”
The encrypted Signal app is what Defense Secretary Pete Hegseth and other leading national security officials within the administration used to discuss bombing Houthi sites earlier this month. The Atlantic editor Jeffrey Goldberg was inadvertently added to the group and privy to the highly sensitive discussions.
In the military, sending classified data over insecure channels is called “spillage”; it can be a career ender for a military officer.
The 2023 DoD memo prohibited use of mobile applications for even “controlled unclassified information,” which is many degrees less important than information about on-going military operations.
There’s almost no precedent for the heads of Defense, State, Intelligence and National Security to be sharing such sensitive military intelligence in a forum that was known to be unsecured.
“These are things that are absolutely basic,” John Bolton, former national security adviser during the first Trump administration, told NPR’s Here & Now. “Yet these are cabinet level people in our government, and yet not one of them ever said, ‘Why are we on Signal?’ “
