A screen grab of a page from a Pentagon-wide memo warning against using the messaging app Signal.
NPR
hide caption
toggle caption
NPR
Several days after top national security officials accidentally included a reporter in a Signal chat about bombing Houthi sites in Yemen, a Pentagon-wide advisory warned against using the messaging app, even for unclassified information.
“A vulnerability has been identified in the Signal Messenger Application,” begins the department-wide email, dated March 18 and obtained by NPR.
The memo continues, “Russian professional hacking groups are employing the ‘linked devices’ features to spy on encrypted conversations.” It notes that Google has identified Russian hacking groups that are “targeting Signal Messenger to spy on persons of interest.”
Moreover, a memo in 2023, obtained by NPR, warned of using Signal for any nonpublic official information.
A Signal spokesman said the Pentagon memo is not about the messaging app’s level of security, but rather that users of the service should be aware of what are known as “phishing attacks.” That’s when hackers try to gain access to sensitive information through impersonation or other deceptive tricks.
“Once we learned that Signal users were being targeted and how they were being targeted, we introduced additional safeguards and in-app warnings to help protect people from falling victim to phishing attacks. This work was completed months ago,” said Signal spokesman Jun Harada.
The March 18, 2025, Pentagon memo adds, “Please note: third party messaging apps (e.g. Signal) are permitted by policy for unclassified accountability/recall exercises but are NOT approved to process or store nonpublic unclassified information.”
The encrypted Signal app is what Defense Secretary Pete Hegseth and other leading national security officials within the administration used to discuss bombing Houthi sites this month. The Atlantic‘s editor-in-chief, Jeffrey Goldberg, was inadvertently added to the group and was privy to the highly sensitive discussions.
In the military, sending classified data over insecure channels is called “spillage”; it can be a career ender for a military officer.
The 2023 Defense Department memo prohibited use of mobile applications for even “controlled unclassified information,” which is many degrees less important than information about ongoing military operations.
There’s almost no precedent for the heads of defense, state, intelligence and national security to be sharing such sensitive military intelligence in a forum that was known to be unsecured.
“These are things that are absolutely basic,” John Bolton, former national security adviser during the first Trump administration, told NPR’s Here & Now. “Yet these are Cabinet-level people in our government, and yet not one of them ever said, ‘Why are we on Signal?'”
NPR disclosure: Katherine Maher, the CEO of NPR, chairs the board of the Signal Foundation.
NPR’s Bobby Allyn contributed to this story.
