Pierluigi Paganini May 05, 2025

A hacker stole data from TeleMessage, exposing messages from its modified Signal, WhatsApp, and other apps sold to the U.S. government.

A hacker stole customer data from TeleMessage, an Israeli firm selling modified versions of popular messaging apps, such as Signal and WhatsApp, to the U.S. government.

“The data stolen by the hacker contains the contents of some direct messages and group chats sent using its Signal clone, as well as modified versions of WhatsApp, Telegram, and WeChat.” reported 404media. “TeleMessage was recently the center of a wave of media coverage after Mike Waltz accidentally revealed he used the tool in a cabinet meeting with President Trump.”

The security breach highlights the risks of relying on modified versions of popular apps, especially when chats aren’t end-to-end encrypted between the apps and the archive. 404 Media noted that although the app was used by top U.S. officials, cabinet-level messages were not compromised. However, data belonging to Customs and Border Protection (CBP), Coinbase, and other financial entities was also leaked.

“One screenshot of the hacker’s access to a TeleMessage panel lists the names, phone numbers, and email addresses of CBP officials.” reports 404Media. “The screenshot says “select 0 of 747,” indicating that there may be that many CBP officials included in the data. A similar screenshot shows the contact information of current and former Coinbase employees.”

Though not all data was accessed, the threat actor hacked the company in just 20 minutes, raising national security concerns, especially as top U.S. officials, including Waltz, were using the tool during sensitive discussions.

Last week, 404 Media first reported that the U.S. National Security Advisor Waltz accidentally revealed he was using TeleMessage’s modified version of Signal during the cabinet meeting. 

“The use of that tool raised questions about what classification of information was being discussed across the app and how that data was being secured, and came after revelations top U.S. officials were using Signal to discuss active combat operations.” continues the post.

The exposed TeleMessage data includes message contents, government contact info, backend credentials, and client clues. Messages came from modified Signal and include political and crypto-related discussions, such as chats involving Galaxy Digital and U.S. Senate bill deliberations.

The hacker gained access to debug data from TeleMessage that included fragments of live, unencrypted messages. 404 Media verified the breach by contacting CBP officials listed in the data, confirming its authenticity.

“The server that the hacker compromised is hosted on Amazon AWS’s cloud infrastructure in Northern Virginia. By reviewing the source code of TeleMessage’s modified Signal app for Android, 404 Media confirmed that the app sends message data to this endpoint.” concludes the media. “404 Media also made an HTTP request to this server to confirm that it is online.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)