How was TeleMessage hacked? Does this mean that all messaging apps that capture and archive data are vulnerable? And finally, what should be on your secure compliant mobile communications cybersecurity checklist?

CellTrust | July 7, 2025

Who is TeleMessage and how were they hacked?

According to media reports, on May 4, 2025, a hacker exploited an insecure exposed endpoint on TeleMessage’s archive servers. TeleMessage, acquired by Smarsh in February 2024, is an enterprise messaging and archiving platform headquartered in Petah Tikva, Israel used by financial services and government organizations across the USA and other countries.

404 Media first reported later the same day, that a hacker had breached TeleMessage, describing how they accessed backend servers using a Spring Boot Actuator /Heap Dump endpoint—obtaining plaintext usernames, passwords, chat logs, and encryption keys—all within about 15–20 minutes.

Vulnerable endpoint exposed

TeleMessage had left a Spring Boot Actuator /Heap Dump endpoint publicly accessible on one of its servers.

This endpoint is designed for debugging but should never be exposed publicly
It allowed anyone to download a memory dump of the running application

Hacker downloaded Heap Dump

The hacker discovered the exposed endpoint and downloaded a Heap Dump — a snapshot of application memory at a given point in time.

This dump included plain text usernames, passwords, encryption keys, and active session tokens for TeleMessage’s backend and archive systems
Credentials for both the Signal-based TM SGNL clone and TeleMessage’s admin portals were included

Backend access achieved

Using the credentials and session tokens, the hacker:

Accessed admin dashboards
Downloaded archived message logs from government agencies and private firms
Exported contact lists and metadata (such as sender/receiver, timestamps, and locations)
Captured internal screenshots and exported data bundles as proof

Services were suspended worldwide

The next day, the story broke worldwide, TeleMessage suspended all services, confirmed the breach and began an investigation with cybersecurity partners.

Which financial organizations were impacted?

According to reports by the press, Coinbase, Scotiabank and Galaxy Digital were the financial institutions impacted by the breach. None of the reports suggest any customer account or financial transaction details were accessed. But the exposure of staff communications and credentials could have potentially led to phishing attacks or targeted exploits.

Over 60 US government agencies affected

Further reporting communicated that over 60 US government agencies’ metadata or archived communications were impacted, including FEMA, US Customs and Border Protection, US Secret Service, White House Staff, the US Diplomatic Corps as well as other Department of Homeland Security affiliated agencies.

Agency/Users	Type of Exposure
FEMA	Metadata & message fragments
US Customs and Border Protection	Logs & metadata
US Secret Service	Archived communications
US White House staff	Metadata & fragments
US Diplomatic Corps	Metadata & fragments
Additional DHS-affiliated agencies	Metadata & fragments

(Above – as widely reported in the press)

CISA KEV listing

This prompted CISA (US Cybersecurity and Infrastructure Security Agency) to add the TeleMessage Signal app (TM SGNL) to their “Known Exploited Vulnerabilities Catalog.”

Does this mean that all messaging apps that capture and archive data are vulnerable?

“The short answer is no; it does not. All messaging apps capturing and archiving data are not equal; they are engineered based on experience, expertise, what the company strategy and leadership deems a priority and whether they are prepared to invest not only thousands of dollars in cybersecurity best practice or hundreds of thousands of dollars or more,” explains Sean Moshir, CellTrust co-founder and CEO.

Engineered at enterprise level with security best practice

CellTrust SL2 integrations with third-party apps are engineered with the API provided by the original third-party vendor and follow their specifications for best security practices
CellTrust does not “wrap” or in any way “clone” third-party apps since this process may produce intellectual property and security concerns
The SL2 app does not communicate directly with the archivers, and the communications between the app and SL2 server are encrypted with Transport Layer Security (TLS) 1.2 or above with a comprehensive registration process in place to establish the initial handshake
SL2 Enterprise Capture is enterprise level software engineered on the Microsoft Azure Technology Stack in the Microsoft Azure Cloud to protect the enterprise from the risk of cyber attacks or data loss while enhancing productivity and efficiency for organizations of all sizes – some with mission critical operations
SL2 Enterprise Capture is utilizing Microsoft Azure Key Vault for storing passwords, usernames, encryption keys, and tokens. Azure Key Vault is a secure storage for management of sensitive information and is used to help protect against unauthorized access and data breaches
SL2 is available with container options, including Microsoft Intune, Ivanti Neurons™, and BlackBerry® UEM, which provide advanced controls for organizations to monitor and manage communications and deployments, such as Single Sign On
The SL2 app provides end-to-end encryption in transit and at rest for government agencies and enterprises seeking a secure and compliant internal mobile communication solution without integrating with another application, i.e. (Signal, WhatsApp)
CellTrust’s direct Carrier Capture and Stacked Capture solutions are engineered with the latest major US Carrier APIs and benefit from the same enterprise level, hardened security infrastructure as CellTrust’s App Capture

“CellTrust’s SL2 for WhatsApp was developed in collaboration with WhatsApp, engineered with the Business APIs provided by them and in adherence with their specifications to ensure security and encryption are never compromised. Our Carrier Capture and Stacked Capture solutions are engineered with the latest major US Carrier APIs and benefit from the same enterprise level, hardened security infrastructure as our App Capture solution,” clarifies Kevin Moshir, CellTrust co-founder and COO.

Founded by security pioneers – a team at the leading edge

CellTrust’s team includes cybersecurity authorities with decades of experience and advanced expertise in information security strategy for enterprises and government. Its founders are pioneers of anti-virus and the multibillion-dollar enterprise patch management industry and patent inventors for over 60 US and international patents addressing mobile security and compliance.

Member of the Microsoft Intelligent Security Association

Headquartered in Scottsdale, Arizona, USA — CellTrust is a member of the Microsoft Intelligent Security Association (MISA), consisting of Microsoft premier security partners — independent software vendors (ISVs) and managed security service providers (MSSPs) that have integrated their solutions with Microsoft Security products. The approximately 400 MISA members (nominated by Microsoft) are experts from across the cybersecurity industry and have the shared goal of improving customer security.

What should be on your secure compliant mobile communications cybersecurity checklist?

1) Find a technology partner with a profound understanding of cybersecurity and the threat landscape

As you begin conducting due diligence on any third-party technology partner, it is essential that their information security strategy, policies and culture value confidentiality, integrity and availability and that they employ experienced security professionals as a priority.

2) Verify they embed NIST SP 800-53 security postures across their organization

The National Institute of Standards and Technology (NIST) and NIST SP 800-53 security frameworks lay the foundation for a firm’s security posture. NIST SP 800-53 includes controls for the development of secure and resilient information systems, providing operational, technical, and management standards and guidelines that information systems should use to maintain confidentiality, integrity, and availability. The standards and guidelines from NIST incorporate a multi-tiered approach to risk management through these controls. The controls are set forth in three classes indicating impact: low, moderate, and high.

3) Zero Trust architecture as best practise must be implemented

Zero Trust architecture is a best practice designed to protect by leveraging network segmentation, preventing lateral movement, providing layered threat prevention, and simplifying granular user-access control. The foundational building block for the Zero Trust network model is Entra ID/Active Directory (AD), which vastly enhances network security and safeguards access to enterprise data through identity management and conditional access control for both devices and users.

4) Practice Data Minimization

CellTrust limits the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the personal data is processed, as disclosed in the privacy notice. This is recognized as the practice of data minimization.

5) Practice privacy and security by design

Privacy and security are Integral to organizational priorities, project objectives, design processes, and planning at CellTrust and include these actions:

Being proactive instead of reactive
Identifying risks and mitigating those risks or determining if you can accept some risks
Taking a multidisciplinary design approach across the organization from the start
Remaining at the forefront of security and privacy regulations and developments

6) Offer a secure, compliant, internal mobile comms network

CellTrust’s patented SecureSMS® and SecureVoice™ technologies secure internal staff-to-staff communication for chats and voice calls with multiple archiving options available for text, MMS, chat, voice, separate voice and SMS endpoints, and short code. Documents and images can be attached within the group chat and are also secured with CellTrust’s enterprise grade security. The SL2 app provides end-to-end encryption in transit and at rest for government agencies and enterprises seeking a secure and compliant internal mobile communication solution without integrating with another application, i.e. (Signal, WhatsApp).

Still have questions? Talk with an expert

Book 30 minutes with a member of our team

#Security #Compliance #InfoSec #Databreach #Telemessage #Signal #Dataleak #BusinessTexting #FinServ #RegTech #MobileCommunications #Government #SEC #FINRA #Enterprise