Hackers Break Into Telegram, Revealing 15 Million Users' Phone Numbers

A vulnerability in Telegram has exposed the data of millions of people in Iran. Hackers in the country have compromised dozens of accounts by an SMS redirection hack, and also identified phone numbers of 15 million users, according to a report on Reuters. From the report: The attacks, which took place this year and have not been previously reported, jeopardized the communications of activists, journalists and other people in sensitive positions in Iran, where Telegram is used by some 20 million people, said independent cyber researcher Collin Anderson and Amnesty International technologist Claudio Guarnieri, who have been studying Iranian hacking groups for three years.As for the attack, hackers aren't targeting the encryption that protects messages between accounts, but how a phone number is tied to an account. When a user adds a new device to their Telegram account, the new device is confirmed through a one-time SMS message. Hackers are intercepting that SMS and cloning the data to a compromised device.

Update: Telegram reached out to Slashdot on Twitter with a link to a blog post that included:
Certain people checked whether some Iranian numbers were registered on Telegram and were able to confirm this for 15 million accounts. As a result, only publicly available data was collected and the accounts themselves were not accessed. Such mass checks are no longer possible since we introduced some limitations into our API this year. However, since Telegram is based on phone contacts, any party can potentially check whether a phone number is registered in the system. This is also true for any other contact-based messaging app (WhatsApp, Messenger, etc.). Read the rest of Telegram's official statement, including SMS codes allegedly being intercepted, here.

"A vulnerability in Instagram"???

Editors need more coffee, as evidenced by this mistake.

On the other hand, if a vulnerability in Instagram resulted in a Telegram break-in, then I really should destroy my Instagram account right now.

Re:"A vulnerability in Instagram"???

[monkeyzoo]

Instagram or Telegram? Get your damn story straight /.

Re:"A vulnerability in Instagram"???

Instagram or Telegram? Get your damn story straight /.

It's not surprising that with a 3 million UID, you have no clue.

Re:"A vulnerability in Instagram"???

[K.+S.+Kyosuke]

Agile development is so fast these days that the names change even as you're writing!

Why require a phone number in the first place?

It's stupid beyond belief that a messenger that prides itself on security, encryption, secure chats, and anonymity, requires linking an account to a real life phone number in first place.

Why the fuck don't they let people register with a username and password and use that?

Re:Why require a phone number in the first place?

[b0bby]

From TFA:

A spokesman for Telegram said customers can defend against such attacks by not just relying on SMS verification. Telegram allows — though it does not require — customers to create passwords, which can be reset with so-called “recovery” emails.

“If you have a strong Telegram password and your recovery email is secure, there’s nothing an attacker can do,” said Markus Ra, the spokesman.

So, they don't require it. One could argue that they shouldn't even allow it, though.

Re:Why require a phone number in the first place?

Why the fuck don't they let people register with a username and password and use that?

Well, there is a possibility to use usernames to identify and connect with people. The service still requires you to activate it using your mobile phone so you can get your account back if it's lost.

But don't get me wrong, I think there's a lot of improvement Telegram could and should do. For example, proper end-to-end encryption with PKI (it's optional as of now).

Re:Why require a phone number in the first place?

[Frosty+Piss]

So, they don't require it. One could argue that they shouldn't even allow it, though.

Perhaps they have a practical reason related to the type and location of many of their customers.

As well, you could say "perhaps they should not let morons use their service", but that doesn't work either, eh?

Re:Why require a phone number in the first place?

They -DO- require a phone number. Try reading and actually comprehending the link you posted as a rebuttal.

A password can OPTIONALLY be added to an account. A phone number is MANDATORY to register one.

Re:Why require a phone number in the first place?

[Ash-Fox]

Why the fuck don't they let people register with a username and password and use that?

Because it's based on the same identification scheme VK uses. Also, you can set a password if you want, which wouldn't be vulnerable to the mentioned issue in the summary.

Re:Why require a phone number in the first place?

I'm more likely to lose or destroy my SIM than I am forget my password.

Why not give the option (via a 'I understand if I forget my password my account is lost forever' agreement) that you could sign up just via a username and password?

Developer arrogance.

Re:Why require a phone number in the first place?

Meh, the ideal would be to have the user first set up a username and password, then from there, set up some recovery options, any or all they choose, with a notation of risk involved:

1: Recovery questions (stored as salted hashes with PBKDF2, bcrypt, or scrypt so they are not free for the cracking.)
2: A client certificate.
3: The server shows some data in a text box, the user copies it, signs it with their gpg/PGP key, pastes the signed data in.
4: The server pops up some random data encrypted to the user's gpg/PGP key on file, user decrypts it, pastes it as a response.
5: A dedicated recovery app that does something like #4, but uses SMS to transfer the encrypted data, and the user just types in the decrypted number.
6: A one-use recovery code from a list.
7: A message to other users asking x out of y to recover and vouch for the user, similar to a share-split key recovery.

From there, the user sets up their chosen authentication and key protection:

1: Each device has its own private key held in the app. A new device has to be "introduced" by an existing one, which the existing device decrypts a database, and adds a record of the master key encrypted with the new device's public key. Lost devices can be deleted by any existing device.
2: Authentication (not encryption) can be done by the usual 2FA methods, like RFC 6238 so the user can access the encrypted key. Then the user's password/passphrase is used to unlock their key. This is a weak way of doing it, but it allows access anywhere.

Re: Why require a phone number in the first place?

You an register with phone number and then conficure username and password. Password can be recovered to your email if you want.

I wish there was proper encryption though. The current scheme is mostly homebrewn (=== bad).

Re:Why require a phone number in the first place?

You're the product not the customer.

Re: Why require a phone number in the first place?

I have several Telegram accounts - they are partly linked ot the phone (by MAC address, I suppose) and partly to the number (SIM).

There is no obvious way to move your account from one phone or SIM to another, so if you change your network (with PAYG, that can happen weekly to get the best deal for overseas calling), or change your phone (eg give/lend the old one to a relative or friend) your account is lost - or worse, your personal messages go to someone else!

Telegram appears to have lost the plot in more ways than one.

Re:Why require a phone number in the first place?

[b0bby]

AC is correct - I misread. The number is required. I guess you'd want to get a throwaway SIM of a disposable VOIP number for the initial setup, then set the password. Probably harder to do that in Iran than here though.

Telegram, not Instagram.

EOM

from the editing-woes dept.

manishs posts stories using his Apple iPhone apparently.

Ya know....

There used to be this group years ago that went by the acronym TRYP that would collect thousands upon thousands of phone numbers. Every year they would actually print the entire list of numbers, names, and addresses on yellow paper and they would commission people to drive by and throw this yellow book at your house! Those were crazy times...

Re:Ya know....

We have something similar in Canada. And every year, we follow the delivery trucks from afar and pick up the yellow books. Free fuel to heat our house for 350 days!

Honeypot

Telegram is just a honeypot, why else would it be advertised so heavily whenever the topic of terrorists or evil-doers comes up?

ummm

the company sends them authorization codes via SMS, which can be intercepted by the phone company and shared with the hackers

I wonder is the phone co also charges them for the SMS?

Re:ummm

I wonder is the phone co also charges them for the SMS?

Only in the USA. Rest of the world is more sensible, even North Korea doesn't do that.

Damn you autocorrect!

"A vulnerability in Instagram..."

And thus this is why using a phone number

...as an username and the means to validate an account is a pretty fucking daft idea. Yes, I know you can get yourself a proper username on Telegram and even change it any time you can, but your main visible identifier remains as your phone number.

They gots fones in iran?

When theyd get out of the caves?

Good thing it was "hackers".

If it was normal people, then just anyone coulda done it. That might be cause for concern.

What Slashdot didn't say is ...

[Mondor]

It's about Telegram, not Instagram. And all 15 million users were from Iran. Hence the problem was in SMS provider in Iran, not just in Telegram. Could be even the government. That is - IF such hack indeed happened. NSA hates Telegram, so I wouldn't be surprised if it's early April fools.

Re:What Slashdot didn't say is ...

[Mondor]

Oh, and before we go any further, here is the official reply from Telegram:

"Certain people checked whether some Iranian numbers were registered on Telegram and were able to confirm this for 15 million accounts. As a result, only publicly available data was collected and the accounts themselves were not accessed. Such mass checks are no longer possible since we introduced some limitations into our API this year.

However, since Telegram is based on phone contacts, any party can potentially check whether a phone number is registered in the system. This is also true for any other contact-based messaging app (WhatsApp, Messenger, etc.)."

https://telegram.org/blog/15mi...

Google and Microsoft doing SMS same?

Wasn't the this the latest greatest Security measure, 2Factor verification of adding devices to your account using SMS over unencrypted SS7 signaling?

User data over Telnet is never a good authentication verification route.

Well deserved

[Khyber]

Handing out your phone number for an IM service is just asking for shit like this to happen. Telegram exposed themselves to this kind of attack due to their sheer arrogance in thinking the cellular system was secure by any means.

Smart in using encryption, stupid in explicitly trusting a network.

Re:Well deserved

[OrangeTide]

I remember when my phone number was listed in a public directory known as a "Telephone Book". Anyone with access to a "Pay Phone" could read this "Telephone Book" and determine my phone number and home address. (the reverse of looking up my name and address using my phone number was harder as the book was physically printed on trees and could not be re-indexed or accessed electronically by the average person)

Re:Well deserved

[Khyber]

XMPP/Jabber is much safer, especially run through Pidgin with OTR, you ignorant fuckwit.

/\/\/\ Speaking of Hax0rz \/\/\/

Am I the only one who ever notices Slashdot routing? It is always sketchy. These IP's connect repeatedly on port 443 (HTTPS).

216.34.181.48
star.slashdot.org United States, Chesterfield

184.26.197.171
United States, Wilmington --> India, 3 hops --> a184-26-197-171.deploy.static.akamaitechnologies.com @ United States, Cambridge

Is Slashdot under some sort of surveillance or something?

A while back it was connecting to unexpected CA servers then the EFF looked at it and it stopped. Now this?

Re:/\/\/\ Speaking of Hax0rz \/\/\/

Slashdot is hiding posts now. I showed this and neither the above post nor this is visible from the thread.

IP's changed after I posted the above to 104.86.60.71.

It hops USA --> United Kingdom, 3 hops --> a104-86-60-71.deploy.static.akamaitechnologies.com United States, Cambridge

This is the second time I posted this comment, the other one was removed. (3 total comments, you see 2)

Re:/\/\/\ Speaking of Hax0rz \/\/\/

Hiding shit now. What the fuck is going on with Slashdot?

This is my reply but it's gone?
https://it.slashdot.org/comments.pl?sid=9474111&cid=52631481

Re:/\/\/\ Speaking of Hax0rz \/\/\/

It took 15 minutes to view?

nooo. unhidden.

you fuckers. some agency is monitoring this site.

If this is not seen I will send a screenshot to the EFF.

Re:/\/\/\ Speaking of Hax0rz \/\/\/

Do you have discount codes for the tinfoil hat store?

Re:/\/\/\ Speaking of Hax0rz \/\/\/

Sounds more to me like your own connection is fucked. My traceroute to slashdot.org goes from Atlanta to Dallas to Chicago. My trace to star.slashdot.org goes from Atlanta to Dallas to Elk Grove Illinois to Chicago. I don't see any traffic to 184.26.197.171 but if I do a traceroute there I wind up going from Atlanta to Dallas to Los Angeles to Singapore.

What the hell is star.slashdot.org anyway?

Re:/\/\/\ Speaking of Hax0rz \/\/\/

Easy there, sparky. 184.26.197.171 and 104.86.60.71 are both PTRs of a.fsdn.com, among other Akamai client sites. a.fsdn.com is Slashdot/SourceForge's own little CDN deployed on Akamai. It's a legit host that serves up a lot of the images on Slashdot like the story category icons.

If you're in the US, you should be getting US-based Akamai endpoints unless you're doing something to mess that up. Akamai tries to point you to the closest physical server based mostly upon where your DNS traffic comes from. Since you're getting Akamai endpoints in Europe and Asia I'm going to assume you're a) using a VPN or b) using Tor or c) have some kind of custom DNS server in place. Maybe some combination of the three. In the first two cases it's expected behavior that you'll get weird endpoints. In the third case only you or your DNS operator will know for sure.

Re:/\/\/\ Speaking of Hax0rz \/\/\/

No, I am the OP. I used a site called cqcounter.com/whois to traceroute, it does a direct traceroute from St. Paul Minnesota in the United states. No way it should be going to India for 3 hops (for a long time same route) then back to the United States. Then suddenly I posted a comment that it was going through India and immediately it switched to the United Kingdom for 3 hops after my comment. It was India for hours.

When I went to post the new 3 hops, it started connecting to a different CA authority other than GeoTrust Inc. , and the second comment didn't post until I made my third comment at 5:53 Slashdot time. That means it took 15 minutes and me mentioning it for the second comment to post.

It was blocked and the network was modified on the fly. Period. Third party spying for sure.

What about Signal?

Does this also affect Signal private messenger? It requires a phone number and SMS verification.

20% of Iranians?

Wait, 15m people out of roughly 75m are using Telegram? Seems high to me.

2fa not helping

[amias]

Suggesting that 2fa would have helped here is not helpful. This happened because an Iranian phone company was hacked, using 2fa via SMS is not going to achieve anything when the phone conpany is not trustable.

What is the 'system'?

By the 'system' in which a number is registered, do they mean telecommunication network, or a particular messaging app? I mean, is it possible for any application to check whether my phone number is registered at Telegram/Whatsapp/Signal/Whatever, if the app performing the check is installed together with a messaging app on the same device?