In February 2025, the National Security Agency issued an operational security special bulletin to its personnel, alerting them to vulnerabilities associated with the encrypted messaging application Signal, as revealed by internal NSA documents obtained by CBS News.
The announcement of the NSA bulletin follows the fallout from a revealing article released Monday in The Atlantic. Editor-in-chief Jeffrey Goldberg described how Defense Secretary Pete Hegseth accidentally shared war plans with him in an encrypted Signal chat just two hours before the U.S. military executed attacks against Houthi militia in Yemen. Goldberg noted that Hegseth’s messages contained “specific details about weapon packages, targets, and timing.”
The NSA, a division of the Defense Department, focuses on signals intelligence gathered from electronic communications and cybersecurity. Its primary role is to monitor, collect, and analyze information to safeguard U.S. national security interests.
The documents, unclassified yet restricted for official use only, were titled “Signal Vulnerability” and were distributed to CBS News by a senior U.S. intelligence official prior to Goldberg being unintentionally added to the group chat reportedly by national security adviser Mike Waltz.
The internal bulletin stated, “A vulnerability has been identified in the Signal Messenger Application. The use of Signal by common targets of surveillance and espionage has made the application a prime target for intercepting sensitive information.”
The bulletin cautioned that Russian hacking groups are leveraging phishing scams to access encrypted conversations, thereby circumventing the application’s end-to-end encryption.
Additionally, the bulletin emphasized to NSA personnel that while third-party messaging applications like Signal and WhatsApp can be used for certain “unclassified accountability/recall exercises,” they should not be employed for sharing more sensitive information.
Employees were also advised against sending “anything compromising over any social media or Internet-based tool or application” and were warned not to “establish connections with individuals they do not know.”
CBS News reached out to the NSA for comment but did not receive a response prior to publication.
In response to the bulletin, Signal issued a statement on social media, clarifying that the NSA’s memo referred to a ‘vulnerability’ concerning phishing scams aimed at Signal users, not the application’s core technology.
“Phishing is a long-standing issue and does not indicate a flaw in our encryption or Signal’s underlying technology,” the company stated. “Phishing attacks are an ongoing threat for popular apps and websites.”
On Tuesday, National Director of Intelligence Tulsi Gabbard and CIA Director John Ratcliffe, both of whom were reportedly participants in the Signal group chat, testified before a Senate panel.
“There was no classified information shared in that Signal chat,” Gabbard affirmed to lawmakers. However, the NSA bulletin cautions that even unclassified information should not be discussed on Signal, advising users against sharing “unclassified, nonpublic” details on the platform.
Ratcliffe noted that Signal “is an acceptable application” sanctioned by the White House for senior officials. He mentioned that the group chat served as “a mechanism for communication among senior officials but is not a replacement for high side or classified communications.”
When asked by Democratic Senator Martin Heinrich of New Mexico whether the Signal conversation included data on “weapons packages, targets, or timing,” Ratcliffe responded, “Not that I’m aware of,” and Gabbard echoed, “Same answer and defer to the Department of Defense on that question.” Both claimed they were unaware of the chat including operational specifics of the Yemen strike.
