The hacking of the TeleMessage communications service, a popular Signal clone used by Trump officials, has been compromising messages and metadata of over sixty U.S. government officials, not just former Trump national security adviser Mike Waltz. The significant breach, first detailed by Reuters, involved disaster responders, customs personnel, diplomatic staff, and Secret Service members. The incident highlights critical vulnerabilities in third-party services used for government communications.
The compromised data, covering a period ending May 4, was archived by Distributed Denial of Secrets, a non-profit. While Reuters’ initial review found no overtly classified content, messages reportedly touched on senior officials’ travel logistics. The exposure of such metadata alone presents a substantial counterintelligence risk, potentially revealing government operational patterns and contacts. TeleMessage, owned by Smarsh, suspended its services on May 5. Smarsh has not publicly commented on the specifics of the leaked data.
The White House confirmed it was “aware of the cyber security incident at Smarsh”. The Secret Service stated TeleMessage was used “by a small subset of Secret Service employees” and is under review. Initially, the Federal Emergency Management Agency (FEMA) saw “no evidence” of compromise, though Reuters noted FEMA didn’t respond when shown apparent internal messages from the breach.
Official Response and Deepening Concerns
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since escalated concerns, adding TeleMessage’s TM SGNL app vulnerability (CVE-2025-47729) to its Known Exploited Vulnerabilities (KEV) catalog around May 13. The flaw, involving the backend retaining cleartext messages contrary to encryption claims, was actively exploited. Federal agencies are mandated to address KEV-listed vulnerabilities within three weeks, often by discontinuing product use.
SC Media reported that despite a low formal CVSS score, CISA listed the vulnerability due to exploitation evidence and its use by high-ranking officials. Casey Ellis, founder at Bugcrowd, told SC Media that CISA’s action aimed to ensure federal agencies “got the memo” not to use the software, stating, “Given how TeleMessage Signal has been used, and the impact of successful compromise, it’s unsurprising to me.”
Ellis further explained that while accessing logs requires effort, “The CVSS 1.9 reflects the fact that accessing the unencrypted logs would still require some effort, but the impact of that access, particularly for specific targets, is very high.”. The gravity of the situation prompted CISA to recommend users “discontinue use of the product” pending further Smarsh guidance. Watchdog group American Oversight has also demanded an investigation into the use of such vulnerable apps by government officials.
Technical Flaws and Expert Disclosures
The TeleMessage platform, particularly its modified Signal app TM SGNL, was reportedly breached with alarming ease. An attacker informed 404 Media earlier in May that the intrusion “wasn’t much effort at all,” and took under 30 minutes, adding, “If I could have found this in less than 30 minutes then anybody else could too. And who knows how long it’s been vulnerable?”
This was potentially due to hardcoded credentials in the app’s source code, a vulnerability security researcher Micah Lee highlighted after analyzing publicly available code. Lee’s earlier analysis had already pointed to how TeleMessage’s system, designed for message archiving for regulatory compliance, inherently bypasses standard end-to-end encryption.
Further technical analysis by Lee revealed that TM SGNL’s architecture grants TeleMessage access to users’ plaintext chat logs. His examination of the Android source code showed messages are intercepted post-decryption and sent to a TeleMessage server.
Lee stated, “TM SGNL completely breaks this security,” and that “The communication between the TM SGNL app and the final archive destination is not end-to-end encrypted.”
This plaintext accessibility was confirmed when hackers provided message examples to media. Signal has consistently maintained it “cannot guarantee the privacy or security properties of unofficial versions of Signal.”
Following these public disclosures and a second reported hack detailed by NBC News, Smarsh, the parent company of TeleMessage, confirmed to BleepingComputer that “Upon detection, we acted quickly to contain it and engaged an external cybersecurity firm to support our investigation.”.
Investigations and Prior Incidents
The security failures have led Senator Ron Wyden to call for an immediate Department of Justice investigation. In his letter to the Attorney General, Wyden urged the DOJ to probe the counterintelligence threat, access by foreign employees to U.S. government messages, and whether TeleMessage shared data with the Israeli government or if Israel influenced the product’s design.
He termed a Smarsh executive’s prior claim to the New York Times—that TeleMessage did not decrypt information during collection or transit—as “plainly false” based on Lee’s findings. Lee himself commented on TeleMessage’s system design lacking end-to-end encryption and their misrepresentation of this fact, calling it “quite a big red flag.”.
This is not the first messaging security issue involving Waltz. He previously faced criticism, for accidentally including a journalist in a standard Signal group discussing sensitive military operations.
That incident reportedly contributed to his subsequent departure as National Security Advisor. The current TeleMessage breach, of which Distributed Denial of Secrets has indexed 410GB of data, amplifies concerns about the security of communications tools used across the U.S. government, especially given TeleMessage’s contracts with agencies like the State Department, DHS, and CDC.
