Secure messaging apps like Signal and WhatsApp are widely trusted for protecting sensitive conversations—from journalists guarding sources to government officials discussing national security.

But a recent revelation involving White House staff using Signal to coordinate discussions about potential military action in Yemen has reignited serious concerns. According to a warning from the NSA, the real threat to these platforms isn’t always hackers breaking encryption—it’s user behavior, poor operational security, and misplaced trust in default settings.

Even the most secure tools can become liabilities when used without caution, and the implications could be far more serious than just a leaked group chat.

It always comes down to human vulnerability.

NSA’s Warning

The National Security Agency recently issued a public warning that should make every smartphone user take immediate action. The warning came after Google’s Threat Intelligence Group discovered Russian military intelligence (GRU) operatives tricking Ukrainian officials into compromising their Signal accounts—not by breaking the encryption, but by exploiting user-controlled features.

The crux of the warning: Secure messaging apps on your phone might not be as safe as you think—not due to flaws in their encryption, but because their effectiveness depends on how you use them. Even the most robust security features can be rendered useless by careless habits, and millions of iPhone and Android users unknowingly leave themselves exposed through simple, avoidable mistakes.

This isn’t just a Signal problem. The same vulnerabilities exist in WhatsApp and Telegram, affecting billions of users worldwide who believe their communications are secure.

Critical Vulnerabilities You Can Fix Today

The NSA identified two major “user vulnerabilities” that create security gaps in otherwise secure apps:

1. Linked Devices

That convenient feature allowing you to access your messages across multiple devices? It’s also a massive security risk. When improperly managed, it can allow attackers to establish a fully synchronized replica of your messaging app on their device.

The Fix for Signal: Open Signal and go to Settings > Linked Devices

    • Review every linked device listed
    • Remove any device you don’t recognize or no longer use
    • Consider periodically unlinking and relinking browser connections

The Fix for WhatsApp: Open WhatsApp and go to Settings > Linked Devices

    • Check all connected devices shown
    • Click on any suspicious device and select “Log Out”
    • For added security, periodically log out of all web sessions

The Fix for Telegram: Open Telegram and go to Settings > Devices

    • Review all active sessions
    • Tap on any unrecognized device and select “Terminate”
    • Use the “Terminate All Other Sessions” option for a clean slate if needed

2. Group Links

The simple links used to invite others to group chats can be weaponized. In the Russian attack, Signal group invite links were hijacked to link unauthorized devices instead—a vulnerability in the invite mechanics, not the encryption itself.

The Fix for Signal: Open the group chat and tap on the group name

    • Go to Group Settings > Group Link
    • Toggle off “Group Link” to disable it completely for sensitive conversations
    • If you must use a link, set “Approve New Members” to ON so admins must verify newcomers

The Fix for WhatsApp: Open the group chat and tap on the group name

    • Go to Group Settings > Edit Group Settings
    • Change to “Only admins” can edit group info
    • Under “Group Info,” ensure “Send messages” is set to “All participants” only for trusted groups

The Fix for Telegram: Open the group, tap the group name at the top

    • Go to Edit > Group Type
    • For sensitive groups, choose “Private Group”
    • Under “Permissions,” restrict who can add members

Universal Precautions: Never click on unexpected group links, even from contacts

    • Verify the sender via a different channel before accepting any invitation
    • Regularly check group participants for unfamiliar accounts

Beyond the Obvious: Additional Protection Steps

The NSA’s guidance extends beyond these two vulnerabilities with app-specific recommendations:

For All Messaging Apps:

    • Keep your phone’s operating system and apps updated
    • Be wary of forensic exploits that have plagued both iPhones and Androids this year
    • Minimize sharing contact information and status updates

For Signal:

    • Set and regularly change your Signal PIN (Settings > Account > Signal PIN)
    • Enable Registration Lock to prevent unauthorized registration attempts
    • Set disappearing messages for sensitive conversations (tap conversation name > Disappearing messages)
    • Enable screen lock (Settings > Privacy > Screen Lock)

For WhatsApp:

    • Enable two-step verification (Settings > Account > Two-step verification)
    • Set up fingerprint/face lock (Settings > Privacy > Fingerprint lock)
    • Configure disappearing messages as default (Settings > Privacy > Default message timer)
    • Review and limit who can see your profile (Settings > Privacy → Profile photo/Last seen)

For Telegram:

    • Enable Two-Step Verification (Settings > Privacy and Security > Two-Step Verification)
    • Set up a Passcode Lock (Settings > Privacy and Security > Passcode Lock)
    • Configure Auto-Delete timer for sensitive chats
    • Use Secret Chats for truly sensitive communications (these can’t be forwarded and can’t be accessed from other devices)

Why This Matters More Than Ever

The line between personal and professional communications continues to blur. The Financial Times recently reported on “WhatsApp world at work,” noting how messaging apps once confined to social life now carry sensitive business communications.

This shift has significant security implications, especially considering Meta’s announcement that WhatsApp surpassed 100 million U.S. users last year—a market that had previously been dominated by iMessage.

The Signal vs. WhatsApp Debate

While both Signal and WhatsApp use the same core encryption protocol, Signal’s leadership maintains they offer superior privacy. Signal CEO Meredith Whittaker recently stated: “Signal is the gold standard in private comms,” while acknowledging that “WhatsApp licenses Signal’s cryptography to protect message contents.”

The distinction matters less than proper usage. As one cybersecurity expert put it: “Whether WhatsApp or Signal, both are secure and recommended for use—if used properly.”

What I Have Learned From This ‘Signal Event’

As I continue writing my book on personal cybersecurity, this NSA warning reinforces a critical theme: technical security measures are only as strong as the people using them. The most sophisticated encryption can be rendered useless by simple oversights in how we configure and use our apps.

This pattern repeats across virtually all security domains—from password management to social media privacy. Understanding these human factors is why I’m so passionate about translating complex security concepts into practical, actionable advice.

What About You?

Have you checked your linked devices recently? Take five minutes right now to review your messaging app settings for each platform you use—it could be the difference between secure communications and a serious privacy breach.

Let me know in the comments what you discovered when checking your own apps. Which messaging platform had the most forgotten connections? Did you find devices you didn’t recognize at all? What other security steps are you taking to protect your digital communications?

Adventures of a Sage

Adventures of a Sage is currently exploring personal cybersecurity topics to help everyday users protect their digital lives. Subscribe for weekly insights, tips, and behind-the-scenes glimpses into the writing process.

Return here for updates. Or, connect with me:

The Sage’s Invitation

The path to digital security is a shared endeavor. Join me—share your thoughts on the cyber challenges you foresee in 2025 below. Together, we can navigate this landscape with wisdom and care to block the bad actors.  Sign up for email alerts using the form below.

PS—If you don’t see the signup form below, your browser is blocking the form with its security settings, or with a plugin. Here’s an alternate form to get you subscribed.