So this is the story of how I got logged out of my Signal account, recovered it, but actually made a new account, then had to make two more new accounts because... well, you'll see. Through this whole thing I believe I discovered a bug or two in both Molly and Signal.
Setting the stage
A bit of context: I use JMP.chat to register phone numbers that I use over XMPP. I have no "normal" phone numbers. My phone's never had a SIM card in it, and it's always on airplane mode. I also use Molly IM as my Signal client.
When I got this phone, I was worried about my safety number changing when migrating, and to lessen the chances of that, I thought I'd clever: I used the Link Device feature instead. Molly lets you link phones as secondary devices - but I didn't realize it would be a secondary device. I assumed any phone would be able to do phone stuff, and that desktop clients simply didn't have those features. It was only much later on that I realized my mistake.
At some point, I realized that I'd lost control of the phone number that I used to register my Signal account, and it wasn't available through JMP anymore. This is of course very bad:tm:
This is also where I realized that my new phone was a "secondary" device, because I couldn't change the phone number on the account (and yes, obviously by now I didn't know where my old phone was).
So, I thought I'd make a backup and restore my account and be on my merry way... except that the backups weren't working. It's also not trivial to figure out how to restore a backup to live account without losing access. I tried to use the private space feature to install a second molly instance, but like I said, it wasn't able to restore my backup for some reason.
Of course I tried signalbackup-tools to no avail. So, I put it off a little while.
As I accumulated more contacts and group chats, I started to notice something: Signal kept prompting me to verify myself to continue chatting. I had to complete the captchas for my messages to send; but they never successfully submitted, either. I kept getting this cryptic "failed to submit" error message.
Fast-forward a few more months to about a month ago: Signal started to warn me that I hadn't logged into my primary device in a long time, and I had to in order to keep this one active. It did give me the option to postpone it, so I assumed that it would continue to warn me if this was the case.
Obviously, I was wrong.
Act 1: Logged Out
Last night, as I was chatting, I was suddenly logged out of my account. I half expected this to happen at some point, so I wasn't panicking, but it was a surprise that I got no warning.
The only option the app told me was to re-register my phone number - but it warned me that I'd lose all my contacts, chats, and profile data. I have ~250 contacts, 75 group chats, and literally years of chat logs. Some of them are very important, so losing all that was simply not an option.
"No big deal", I thought, "I'll just spin up a new XMPP account, a new JMP number, and restore my backup. I hope it works!" So I tried that.
I installed Molly in the private space, and begun to restore the backup. The backup fortunately restored successfully, and then it prompts me for my account PIN, which I enter. Then it asks me to complete an hCAPTCHA. Then it asks for my phone number to verify me. I enter the new phone number from my fresh new JMP account, receive the text, enter the code.
It asks me once more to submit a CAPTCHA.
Then it asks me again to verify my phone number.
At this point I'm very suspicious things are working properly, but I got past this step and it asks me to create a new PIN for my account (which is also somewhat suspicious). That part completes successfully. Finally, I'm in.
Looking at my account, I notice a few things: all my chats are there, but my Notes to self chat is suddenly just the name of my account. And my account has a different name and profile picture: that of a cat I've never seen, and my name is "last number". What?
I go to message a group chat to let them know what just happened, but it says I left the group. Huh?
I try another group chat. Same thing.
I soon realize that I've "left" every group chat I'm in, except for one, which says I added someone else to. I'm really confused at this point.
I message one of my contacts, they reply, and I ask if they saw my name change in the chat history. They said no, which I also found extremely weird. Aren't chats supposed to be alerted when a member changes their name?
Anyway, despite all this, my chat history is there, and so are my contacts. I can get them to re-add my to my groups if need be. It's annoying, but doable.
I switch back to my regular side of my user profile, and begin the restore process once more. I go to app info, storage and cache, and select clear storage.
I go to restore my backup. It asks for my backup passphrase, and restores successfully. It asks for my account pin, then asks me to submit a CAPTCHA. It does the SMS verification, and again asks for me to submit a CAPTCHA; then asks me to do the SMS verification again - but nothing arrives. I try several times to ask for a new code, but nothing comes.
I go back to app info, force close the app, and try again.
When I get back into the app, it's now in a state where it's trying to restore a Signal cloud backup (as opposed to Molly's local backups). It gives me the option to skip restoring the backup (deleting everything), or to go back. The go back button doesn't work. Tapping that just makes the popup go away for a millisecond before prompting me again. Fuck.
The only way out of this is to force close the app, clear its storage again. This of course puts me back at the backup restoration flow again. This time, though, when I enter the account PIN, it says "error connecting to service".
Assuming at this point they're throttling me for sending too many SMS verification codes, but not sure if it's my IP, my device, or my phone number, I go to register another new account using another JMP number; and sure enough, I was able to register. It asked me for CAPTCHAs etc, sure; but I was able to get through and create the account.
At this point I'm pretty sure that I'm just being throttled for too many attempts to re-register and to restore accounts etc. I made a local-only vent post about it to my Fedi instance for my local scene, then go to bed.
Act 2: Shit Gets Weird
This morning I woke up, and I try to go through the restore process again. I did get one SMS verification text, but no more after that, and it went back to telling me "error connecting to service".
I'm fed up now. I go to the Matrix room for Molly, and start explaining what's going on. They've been quite helpful in the past so I had moderate hope they'd have a solution or at least some advice for me there. I also wanted to suggest that, when using the link device feature to link another phone, that it's made a lot more clear that the device is still very much a secondary device. If I'd known that, I wouldn't have gotten myself into this mess! I also thought that the whole "Signal can't tell which backup it's trying to restore" state is probably a Molly-side bug.
Of course, after typing out several messages, I opened a support ticket to Signal and likewise explained everything that happened. I also suggested that they should consider not throttling users' SMS verificatoins when they are presented with CAPTCHAs after doing the SMS verification, only to make them redo the SMS verification. This seems unfair
I also noticed something odd: I'm now showing up in a bunch of group chats that I don't recognize, with a bunch of people I don't know, although there are a couple I did know from other group chats I used to be in. By "showing up", I mean the group chat appears in my chat logs, but the only thing I'm seeing is people leaving.
I also noticed that when I send messages to people, that it shows as sent but not received right away, and only just before they respond does it show as delivered. I recognize this behaviour as the same thing that happens when you add a new contact, so I asked one of these people: did they have to accept a new message request when I messaged them? Yup.
Now I think I have an idea of what's going on: I suspected that I was logged out because someone registered with the phone number that I'd lost control of, and that this person set my name and profile picture to what I'd discovered them as. I figured they got their friends to add them to a few group chats. It was the only thing I could think of, but it didn't totally add up: it still should've notified my contacts that I'd changed my name.
Soon after that, one of my friends added me to our group chat again, and.... I'm still there? Even though I just joined on this account? There are two of me there. I only then started to put two and two together: restoring chat backups doesn't restore your account. What I'd done is actually created a new account, and restored my chats to that new account.
This explains why nobody was notified that I'd changed names (I didn't), and why I "left" all these groups (also, I didn't: I was never in them on this account, but the client just says "I left" when it seems the membership status change). This didn't explain those mysterious new groups though....
Frustrated, I continue to vent on Fedi. I explain I'm gonna have to re-add all my contacts and probably re-join all my group chats.
Act 3: Things Start to Make Sense
Suddenly I get a DM on Fedi from my friend: "hi, i need to talk to you about your new signal account! please message me. urgent!"
Okay, kinda weird, but okay.
I hit them up, and they say "did you create a new account? Were you added to a bunch of crazy group chats? Is this your nunmber?" I was extremely confused about how they knew all this, but I confirmed that yes all of that was true.
He then tells me the new number I registered was their friend's phone number, and I'd taken over their Signal account (and XMPP number)!
However unlikely it was, it did make sense. Why my profile had different info; why I was suddenly in a bunch of group chats of people I mostly didn't know - but some I recognized; why people had to add me again.
Obviously, I thought it was hilarious. My friend then asks if I'd be willing to transfer everything back. The person who had the account was a bit embarrassed and not sure what kind of messages I'd receive that were intended for them.
The rest of the story was tedious but straight forward: I transferred the JMP account to their Jabber ID, and then once they had control of the number they were able to re-register and reclaim the account.
I created another Signal account to restore my stuff to. (If you've been keeping track, this is actually the fourth account now)
Finally, I can begin the process of re-adding all of my 250 contacts, and having them re-add me to me 75 or so group chats...
Conslusion: Some Lessons Learned
Now I've got a very annoying road ahead of me: re-adding all my contacts, my groups, and proving to everyone I am who I claim I am. Also, I've got two accounts: my restored-but-new-account, and the alt that I've made in the extremely unlikely event something like this happens again. (This way I don't have to go through the whole "proving who I am" song-and-dance.)
This saga was unnecessary and stressful, but it did teach me a few things about how Signal works. Of course, I have a few takeaways, too:
Linked devices are very much secondary devices. This is obvious in hindsight, but at the time I guess I wasn't thinking. When you get a new phone, just go through the restoration process with the same number.
Make sure you have registration lock enabled! This is another obvious one.
Signal backups are NOT account backups. They simply restore your chat history to whatever account you load them to. You could totally restore a Signal chat backup to multiple accounts in order to populate their contact lists.