# Signal Archiving After TeleMessage for Compliance Teams How a Signal clone used by U.S. officials was breached in minutes — and what it means for compliance officers evaluating encrypted messaging archiving vendors. Source: https://commacompliance.com/post/telemessage-signal-timeline Last updated: 2025-10-23 --- In one of 2025’s most alarming security breaches, a modified clone of the Signal app, known as "TM SGNL," compromised sensitive government communications and exposed deep vulnerabilities in the use of foreign-built tech.\ \ The clone, developed by Israeli tech firm TeleMessage and acquired by Smarsh in 2024, was intended to archive encrypted communications for compliance purposes.\ \ Instead, it introduced serious vulnerabilities that were exploited by hackers, exposing sensitive government communications and raising concerns about foreign software vendors and operational security. ## **TM SGNL Security Breach: Key Events & Timeline** **February 2024** - The US-based company [Smarsh acquired TeleMessage](https://www.advisorhub.com/resources/smarsh-closes-acquisition-of-telemessage/).  **March 2025** - Former National Security Adviser Mike Waltz accidentally added [_The Atlantic_’s editor-in-chief](https://www.theatlantic.com/politics/archive/2025/03/trump-administration-accidentally-texted-me-its-war-plans/682151/) to a Signal group chat discussing U.S. military operations in Yemen. - _WSJ_ and _Axios_ reported that officials, including Waltz and Defense Secretary Pete Hegseth, [were using Signal](https://www.wsj.com/tech/what-is-signal-and-why-were-trump-officials-using-it-to-plan-a-military-strike-65e4abc4) to coordinate discussions involving Russia and Ukraine. **May 1, 2025** - _Reuters_ published photographs confirming Waltz was using "TM SGNL" at a cabinet meeting. It is not known whether White House officials began using TM SGNL after the initial Signal group chat, or before. - Waltz [was fired](https://www.reuters.com/world/us/white-house-national-security-adviser-waltz-leave-post-source-says-2025-05-01/) and quickly nominated to become U.S. Ambassador to the UN. Marco Rubio was named interim National Security Adviser. **May 4,  2025** - [_404 Media_](https://www.404media.co/) reported that [a hacker breached TeleMessage’s backen](https://www.404media.co/the-signal-clone-the-trump-admin-uses-was-hacked/)d in under 20 minutes, accessing usernames, passwords, internal credentials, and message data from modified versions of Signal, Telegram, and WhatsApp. **May 5, 2025** - News sources reveal TeleMessage’s efforts to rebrand as "Capture Mobile." - [Additional reporting ](https://www.dropsitenews.com/p/mikewaltz-tech-israel-nationalsecurity-signal)tied the company to Israeli military intelligence units, NSO Group, and Cellebrite. - TeleMessage’s website was changed to a simple landing page that is non-functional. * It was reported that Smarsh, the parent company, [notified users](https://www.404media.co/senator-demands-investigation-into-trump-admin-signal-clone-after-404-media-investigation/), _“it is not possible to register new users. Users that were logged out for their Apps will not be able to login again.”_ **May 6, 2025** - One of the key journalists from the initial 404 media coverage of the hack,[ Micah Lee, published a detailed investigatio](https://micahflee.com/despite-misleading-marketing-israeli-company-telemessage-used-by-trump-officials-can-access-plaintext-chat-logs/)n revealing that TeleMessage can access plaintext chat logs despite marketing claims of end-to-end encryption. **May 8, 2025** - On May 8, the CVE Program [published CVE-2025-47729](https://www.cve.org/CVERecord?id=CVE-2025-47729), confirming what Micah Lee had previously revealed, that TeleMessage's TM SGNL app stores plaintext messages despite end-to-end encryption claims. The flaw is listed in CISA’s Known Exploited Vulnerabilities catalog. **May 18, 2025** - [WIRED released an article](https://www.wired.com/story/how-the-signal-knock-off-app-telemessage-got-hacked-in-20-minutes/) by Micah Lee with updated technical details revealing how the TM SGNL breach occurred. The hacker exploited insecure client-side MD5 password hashing and a critical server misconfiguration that exposed internal memory to the public internet. They accessed an unprotected `/heapdump` URL and downloaded server memory containing usernames, passwords, and unencrypted message content, despite TeleMessage’s previous claims of using end-to-end encryption.\ - Affected parties of the breach were noted to be U.S Customs and Border Protection (CBP) as well as Coinbase. **July 1, 2025** - Cybersecurity and Infrastructure Security Agency (CISA)[ added two new TeleMessage SGNL flaws](https://www.cisa.gov/news-events/alerts/2025/07/01/cisa-adds-two-known-exploited-vulnerabilities-catalog) to its Known Exploited Vulnerabilities catalog:[](https://www.cve.org/CVERecord?id=CVE-2025-48927) - [CVE-2025-48927](https://www.cve.org/CVERecord?id=CVE-2025-48927) : Initialization of a Resource with an Insecure Default Vulnerabilit - [CVE-2025-48928](https://www.cve.org/CVERecord?id=CVE-2025-48928) : Exposure of Core Dump File to an Unauthorized Control Sphere Vulnerability **October 2025** - As of October 2025, [TeleMessage's site](https://www.telemessage.com/) consisted of a simple landing page with a [Contact Us](https://www.telemessage.com/contact-us/) link and a [Privacy Policy](https://www.telemessage.com/privacy-policy.html), but implied links like "Learn about," were no longer clickable. _\ Also available via our [Substack newsletter.](https://commacompliance.substack.com/)\ \ \ This article is for informational purposes only and does not constitute legal or compliance advice._