Millions of Telegram Users’ Data Exposed on Darknet

Published at: June 24, 2020

Telegram, a major privacy-focused messaging app, has suffered a data leak that exposed some personal data of its users on the darknet.

A database containing the personal data of millions of Telegram users has been posted on a darknet forum. The issue was first reported by Russian-language tech publication Kod.ru on Tuesday.

According to the report, the database contains phone numbers and unique Telegram user IDs. It remains unclear exactly how many users' data was leaked while the database file is about 900 megabytes.

About 40% of entries in the database should be relevant

Telegram has reportedly acknowledged the existence of the leaked database to Kod.ru. The database was collected through exploiting Telegram’s built-in contacts import feature at registration, Telegram reportedly said.

Telegram noted that the data in the leaked database is mostly outdated. According to the report, 84% of data entries in the database were collected before mid-2019. As such, at least 60% of the database is outdated, Telegram declared in the report.

Additionally, 70% of leaked accounts came from Iran, while the remaining 30% were based in Russia.

All phone-based apps are vulnerable to this type of attack, Telegram says

Speaking to Cointelegraph, a spokesperson at Telegram highlighted that the reported vulnerability is a major problem for all contact-based messengers. This includes the company’s biggest rival, WhatsApp. The representative said:

“Like other phone-based messengers (Facebook Messenger, WhatsApp, Viber), Telegram allows you to see which of your contacts are also using the app. Unfortunately, any contacts-based app faces the challenge of malicious users trying to upload many phone numbers and build databases that match them with user IDs – like this one.”

The spokesperson also emphasized that the leaked database only contains connections between phone numbers and Telegram user IDs and no accounts have been accessed. “No passwords, no messages or other sensitive data are present,” Telegram elaborated.

Just the latest leak

This is not the first instance of Telegram users' phone numbers being leaked. In August 2019, Hong Kong activists reported on a vulnerability that exposed their phone numbers, allowing Chinese law enforcement agencies to track protesters’ identities.

In response to the vulnerability, Telegram expanded user privacy tools in September 2019. Specifically, Telegram introduced a feature allowing users to show their phone number to nobody at all. The feature’s description reads:

“If you set Who Can See My Phone Number to ‘Nobody’, a new option will appear below, allowing you to control your visibility for those who already have it. Setting Who Can Find Me By My Number to ‘My Contacts’ will ensure that random users who add your number as a contact are unable to match your profile to that number.”

The report comes soon after Russian authorities lifted the two-year ban on Telegram app in the country.

Tags
Related Posts
Crypto at risk after Facebook leak: Here’s how hackers can exploit data
Facebook is no stranger to data hacks and leaks, with the company having been on the receiving end of many high-profile security breaches in recent years. For example, back in 2018, the social media giant revealed that it had inadvertently exposed the personal information of more than 50 million users due to a small error in its platform coding, thus allowing miscreants to gain access to its users’ accounts. Similarly, in 2020, the Mark Zuckerberg-led firm was embroiled in another major controversy when it came to light that thousands of developers had been able to access data from inactive platform …
Technology / April 7, 2021
Zoom Will Offer End-to-End Encryption to All Users
On June 17, the popular video conference app, Zoom, officially announced that end-to-end encryption, or E2EE, has finally arrived for their software. It will be provided to both free and paid users, so long as their account has passed the company’s verification process. According to the announcement, during the beta phase that will start from July, users should verify their phone numbers via a text message. The aim of this step is to prevent the mass creation of abusive accounts. Zoom commented: “We are confident that by implementing risk-based authentication, in combination with our current mix of tools - including …
Technology / June 17, 2020
Russia May Lift Telegram Ban Due to Coronavirus Outbreak
After years of unsuccessful efforts to block Telegram in Russia, the country’s government is now considering lifting the ban due to the coronavirus outbreak. According to an April 22 report by Russian news agency Kommersant, two deputies at the State Duma have prepared a draft bill on terminating the ban of Telegram’s encrypted messenger app in Russia. If you can’t beat it, join it In the bill, the State Duma deputies reportedly argued that Telegram has become an “official service” used by state authorities to raise awareness about the measures to mitigate the COVID-19 pandemic. The officials elaborated that local …
Regulation / April 23, 2020
Unofficial Iranian Telegram Applications Leak Data of 42M Users
While Telegram isn’t giving up its ongoing legal battle with United States regulators to launch its TON blockchain project, some online perpetrators are taking advantage of the messenger’s popularity to expose millions of user records of third-party versions of Telegram app. Per an investigation by cybersecurity firm Comparitech and security researcher Bob Diachenko, at least 42 million Iranian “Telegram” usernames and phone numbers were leaked via unofficial Iranian-made versions of Telegram, while real Telegram is banned in the country. 42 million Iranians that are willing to use the banned messenger got their data exposed According to a March 30 report …
Blockchain / March 31, 2020
Digital identity platform integrates with zkSync for on-chain KYC
RNS.id, a digital Web3 identity platform developed to support the application and issuance of sovereignty-backed IDs, announced on Nov. 30 that it is integrating with zkSync for on-chain KYC. RNS.ID indicated in a release shared with Cointelegraph that its on-chain KYC solution is designed on a “privacy engine” to encrypt users' identity attributes or properties into different “hashed slices” with multiple signature verifications. RNS.ID aggregates users’ fragmented identity properties data and uses ZK-proofs to generate encrypted proofs from metadata. Additionally, the company stated that RNS.ID enables users to create their own "minimal disclosure identifying information system" for constrained usages, thereby …
Technology / Nov. 30, 2022