Intercept Signal Tip Line Compromised for Months, Likely by China-Based Actor
"somebody went in and claimed the intercepts signal account which I think the intercept.01 um and started messaging and start and also set up a um Twitter account that was they said they were the intercepts kind of investigative intake side. So, this this fake account here, and then this is me reaching out to them, um would underneath a tweet by the White House or Chuck Schumer or Jim Jordan, would say, 'If you have more information on this, reach out to the Intercept at the Intercept.01 signal.'"
About this episode
Ryan Grim reports on Breaking Points about a major security breach at The Intercept involving its Signal tip line for confidential sources. The investigation reveals that The Intercept's Signal account became dormant due to inactivity and was subsequently claimed by an unauthorized party who impersonated the news organization for an extended period, possibly months or longer. The fraudulent operator created fake Twitter accounts using The Intercept's branding and actively solicited tips from potential whistleblowers under high-profile political posts from figures like the White House, Chuck Schumer, and Jim Jordan. Analysis of the account activity suggests the operator was based in the Hong Kong/Beijing time zone, with English-as-a-second-language communication patterns, raising concerns about potential foreign intelligence involvement. The Intercept's response has been criticized as inadequate, issuing only a brief notice about updating security practices and creating a new Signal handle without explicitly warning sources who may have communicated with the compromised account. Grim emphasizes that The Intercept cannot know whether sources were compromised since communications went directly to the third party. The incident exposes both a technical vulnerability in Signal's dormant account policies and organizational failures in source protection at a major investigative journalism outlet. The discussion highlights broader implications for journalistic security practices and the protection of confidential sources in the digital age.
Key takeaways
- The Intercept's Signal tip line was hijacked after becoming dormant, with an unauthorized party claiming the account and impersonating the organization for months.
- The fraudulent operator created fake Twitter accounts and actively solicited confidential tips under posts from major political figures including the White House and congressional leaders.
- Evidence suggests the account operator was based in Hong Kong or Beijing time zone with non-native English communication patterns, raising foreign intelligence concerns.
- The Intercept issued only a minimal security update without explicitly warning sources who may have communicated with the compromised account during the breach period.
- Ryan Grim criticizes The Intercept for not publicly acknowledging the full scope of the breach or advising potentially compromised sources to take protective measures.
- The incident reveals that Signal accounts become claimable by others after a period of dormancy, a security vulnerability many users may not be aware of.
- The compromised account remains active and continues soliciting tips while impersonating The Intercept, despite the organization establishing a new official account.