Hackers Break Into Telegram, Revealing 15 Million Users' Phone Numbers

A vulnerability in Telegram has exposed the data of millions of people in Iran. Hackers in the country have compromised dozens of accounts by an SMS redirection hack, and also identified phone numbers of 15 million users, according to a report on Reuters. From the report: The attacks, which took place this year and have not been previously reported, jeopardized the communications of activists, journalists and other people in sensitive positions in Iran, where Telegram is used by some 20 million people, said independent cyber researcher Collin Anderson and Amnesty International technologist Claudio Guarnieri, who have been studying Iranian hacking groups for three years.As for the attack, hackers aren't targeting the encryption that protects messages between accounts, but how a phone number is tied to an account. When a user adds a new device to their Telegram account, the new device is confirmed through a one-time SMS message. Hackers are intercepting that SMS and cloning the data to a compromised device.

Update: Telegram reached out to Slashdot on Twitter with a link to a blog post that included:
Certain people checked whether some Iranian numbers were registered on Telegram and were able to confirm this for 15 million accounts. As a result, only publicly available data was collected and the accounts themselves were not accessed. Such mass checks are no longer possible since we introduced some limitations into our API this year. However, since Telegram is based on phone contacts, any party can potentially check whether a phone number is registered in the system. This is also true for any other contact-based messaging app (WhatsApp, Messenger, etc.). Read the rest of Telegram's official statement, including SMS codes allegedly being intercepted, here.

"A vulnerability in Instagram"???

[Anonymous Coward]

Editors need more coffee, as evidenced by this mistake.

On the other hand, if a vulnerability in Instagram resulted in a Telegram break-in, then I really should destroy my Instagram account right now.

Re:

[monkeyzoo]

Instagram or Telegram? Get your damn story straight /.

Re:

[K. S. Kyosuke]

Agile development is so fast these days that the names change even as you're writing!

Re:

[b0bby]

From TFA:

A spokesman for Telegram said customers can defend against such attacks by not just relying on SMS verification. Telegram allows — though it does not require — customers to create passwords, which can be reset with so-called “recovery” emails.

“If you have a strong Telegram password and your recovery email is secure, there’s nothing an attacker can do,” said Markus Ra, the spokesman.

So, they don't require it. One could argue that they shouldn't even allow it

Re:

[Frosty Piss]

So, they don't require it. One could argue that they shouldn't even allow it, though.

Perhaps they have a practical reason related to the type and location of many of their customers.

As well, you could say "perhaps they should not let morons use their service", but that doesn't work either, eh?

Re:

[b0bby]

AC is correct - I misread. The number is required. I guess you'd want to get a throwaway SIM of a disposable VOIP number for the initial setup, then set the password. Probably harder to do that in Iran than here though.

Re:

[account_deleted]

Comment removed based on user account deletion

What Slashdot didn't say is ...

[Mondor]

It's about Telegram, not Instagram. And all 15 million users were from Iran. Hence the problem was in SMS provider in Iran, not just in Telegram. Could be even the government. That is - IF such hack indeed happened. NSA hates Telegram, so I wouldn't be surprised if it's early April fools.

Re:

[Mondor]

Oh, and before we go any further, here is the official reply from Telegram:

"Certain people checked whether some Iranian numbers were registered on Telegram and were able to confirm this for 15 million accounts. As a result, only publicly available data was collected and the accounts themselves were not accessed. Such mass checks are no longer possible since we introduced some limitations into our API this year.

However, since Telegram is based on phone contacts, any party can potentially check whether a phon

Well deserved

[Khyber]

Handing out your phone number for an IM service is just asking for shit like this to happen. Telegram exposed themselves to this kind of attack due to their sheer arrogance in thinking the cellular system was secure by any means.

Smart in using encryption, stupid in explicitly trusting a network.

Re:

[Khyber]

XMPP/Jabber is much safer, especially run through Pidgin with OTR, you ignorant fuckwit.

Re:

[OrangeTide]

I remember when my phone number was listed in a public directory known as a "Telephone Book". Anyone with access to a "Pay Phone" could read this "Telephone Book" and determine my phone number and home address. (the reverse of looking up my name and address using my phone number was harder as the book was physically printed on trees and could not be re-indexed or accessed electronically by the average person)

Re:

[Anonymous Coward]

It took 15 minutes to view?

nooo. unhidden.

you fuckers. some agency is monitoring this site.

If this is not seen I will send a screenshot to the EFF.

Re:

[Anonymous Coward]

Do you have discount codes for the tinfoil hat store?

2fa not helping

[amias]

Suggesting that 2fa would have helped here is not helpful. This happened because an Iranian phone company was hacked, using 2fa via SMS is not going to achieve anything when the phone conpany is not trustable.