Background

In February 2025, the National Security Agency (NSA) circulated a bulletin to its personnel addressing potential vulnerabilities associated with the encrypted messaging application, Signal. This announcement comes on the heels of a critical report from The Atlantic detailing a significant security lapse involving U.S. Defense Secretary Pete Hegseth.

Details of the Incident

According to the article by Jeffrey Goldberg, the editor-in-chief of The Atlantic, Hegseth disclosed sensitive military information within a Signal chat group just two hours before the U.S. military’s operations against Houthi forces in Yemen commenced. These disclosures reportedly included specific details on weapons, targets, and the timing of the attacks.

NSA’s Operational Security Bulletin

The internal NSA documents, which are classified as “unclassified but for official use only,” highlight critical concerns regarding the Signal application. Entitled “Signal Vulnerability,” the bulletin suggests that the application has become an appealing target for intelligence agencies and hackers due to its association with individuals under surveillance.

The bulletin underscores a growing threat from Russian hacking entities that utilize phishing schemes to infiltrate accounts and access encrypted conversations, thus circumventing Signal’s end-to-end encryption.

Guidelines for NSA Employees

NSA personnel were reminded that while third-party messaging applications such as Signal and WhatsApp can be employed for certain unclassified exchanges, they should refrain from communicating sensitive information. The bulletin emphasized the need for caution, advising against sharing any compromising data over social media or internet-based platforms and warned against creating connections with unknown individuals.

Response from Signal

In response to the NSA’s bulletin, Signal released a statement on social media asserting that the term “vulnerability” referenced in the memo did not pertain to deficiencies in Signal’s core technology. Instead, it highlighted concerns about phishing attacks targeting users, which Signal noted are a persistent risk for many popular applications and websites.

Testimonies and Clarifications

During a Senate panel session, National Intelligence Director Tulsi Gabbard and CIA Director John Ratcliffe, who were part of the aforementioned Signal group chat, testified regarding the conversation’s content. Gabbard confirmed to lawmakers, “There was no classified material that was shared in that Signal chat.” However, the NSA bulletin cautioned that even unclassified and nonpublic information should not be transmitted using Signal.

Ratcliffe characterized Signal as an application sanctioned for use among senior officials, noting its role as a communication tool among high-level personnel, though it should not replace classified channels for operational communications.

When questioned about whether the Signal conversation involved details on military operations, both officials maintained that they were unaware of any such information being discussed.