TeleMessage, a modified Signal clone used by US government officials, has been hacked

A hacker has exploited a vulnerability in TeleMessage, which provides modded versions of encrypted messaging apps such as Signal, Telegram, and WhatsApp, to extract archived messages and other data relating to U.S. government officials and companies who used the tool, 404 Media reported.

TeleMessage came into the spotlight last week after it was reported that former U.S. national security adviser Mike Waltz was using TeleMessage’s modified version of Signal. Israel-based TeleMessage, owned by Smarsh, offers its clients a way to archive messages, including voice notes, from encrypted apps.

The messages of cabinet members and Waltz were not compromised, 404 Media said, but the hacked data contained contents of messages; contact information of government officials; back-end login credentials for TeleMessage; and more. Data pertaining to the U.S. Customs and Border Protection, crypto exchange Coinbase, and financial service providers like Scotiabank were extracted by the hacker, the report said.

The hack revealed that the archived chat logs are not end-to-end encrypted between the modded version of Signal that TeleMessage offers and the ultimate location where it stores the messages, 404 Media reported.

Smarsh, the company that owns TeleMessage, told TechCrunch in a statement that it suspended TeleMessage’s services, and is investigating “a potential security incident.”

“Upon detection, we acted quickly to contain it and engaged an external cybersecurity firm to support our investigation,” read the statement. “Out of an abundance of caution, all TeleMessage services have been temporarily suspended. All other Smarsh products and services remain fully operational.”

A Coinbase spokesperson said tha the company is “closely following these reports and assessing their impact on Coinbase.  At this time, there is no evidence any sensitive Coinbase customer information was accessed or that any customer accounts are at risk, since Coinbase does not use this tool to share passwords, seed phrases, or other data needed to access accounts.”

Signal, U.S. Customs and Border Protection, and Scotiabank did not immediately return requests for comment.

This story has been updated to include comments from Smarsh and Coinbase.