“Certain people checked whether some Iranian numbers were registered on Telegram and were able to confirm this for 15 million accounts. As a result, only publicly available data was collected and the accounts themselves were not accessed.”
Telegram team added, “Such mass checks are no longer possible since we introduced some limitations into our API this year.”
The news also highlights that more than a dozen accounts were fully compromised by the hackers and according to Collin Anderson and Claudio Guarnieri who investigated this case, the vulnerability is sending authorisation codes via SMS text messages to activate new devices and these can be intercepted by the phone company.
Telegram introduced two-factor authentication last year and also advised users to enable 2FA to prevent interception of SMS-verification codes via a mobile carrier. But as this feature is not enabled by default and due to limited knowledge about security among the general public, this window of opportunity remains relatively open for the hackers.
Collin Anderson is an independent cyber-security researcher and Claudio Guarnieri is an Amnesty International technologist. Anderson and Guarnieri will present their findings at the Black Hat security conference in Las Vegas today.