Cyber Incident Victim: TeleMessage
Date:
May 2025
Location:
United States of America
Summary
TeleMessage suspended all services after hackers claimed to have stolen files from it, prompting its owner Smarsh to investigate with an external cybersecurity firm. The U.S. Customs and Border Protection disabled the app as a precaution, and other federal agencies with contracts are reviewing their use. A hacker provided a screenshot showing the app’s employee contact list from Coinbase, which the exchange confirmed was authentic but stressed that no customer data was compromised. It remains unclear whether the accessed files contain any sensitive government conversations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
TeleMessage, the messaging app used by former national security adviser Mike Waltz to archive his group chats, suspended all services on May 1, 2025 after the company announced it was investigating a potential security incident. A Smarsh spokesperson said that upon detection the company acted quickly to contain the issue and engaged an external cybersecurity firm to support the investigation, and that out of an abundance of caution all TeleMessage services were temporarily suspended. The app had come under public scrutiny after Waltz appeared to be using it during a Cabinet meeting, reviving concerns about the security of his communication methods that had been raised during the “Signalgate” controversy in which he inadvertently added a journalist to a Signal chat planning military strikes on Houthis in Yemen. Following the detection of the cyber incident, Customs and Border Protection, a component of the Department of Homeland Security, disabled TeleMessage as a precautionary measure, with a DHS spokesperson stating that the investigation into the scope of the breach was ongoing. The article notes that TeleMessage uses encryption technology similar to Signal but also provides government agencies and companies with a way to back up copies of chats for compliance purposes, a feature that had been highlighted in a now‑removed blog post describing the app’s purpose for balancing secrecy with archiving requirements.
On Sunday evening before the suspension, a hacker credibly claimed to NBC News to have broken into a centralized TeleMessage server and downloaded a large cache of files, providing a screenshot of TeleMessage’s employee contact list from the cryptocurrency broker Coinbase as evidence. A Coinbase spokesperson confirmed the screenshot’s authenticity but stressed that Coinbase itself had not been hacked and that none of its customers’ data were affected, noting that the tool is not used to share passwords, seed phrases, or other account‑access information. The hacker told NBC News they had not yet fully sifted through the hacked files and it remained unclear whether the stolen data included sensitive conversations from the U.S. government. Separately, a different hacker told the tech publication 404 Media that they had also compromised TeleMessage and supplied significant evidence, although NBC News had not interacted with that source. Government records reviewed by NBC News indicated that several agencies, including the Department of Homeland Security, the Department of Health and Human Services, the Treasury Department, and the U.S. International Development Finance Corp., had active contracts with TeleMessage or related companies for its services. The article concludes that the breach prompted immediate service suspensions, precautionary disables by federal agencies, and an ongoing investigation supported by an external cybersecurity firm.