Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Break Into Telegram, Revealing 15 Million Users' Phone Numbers (venturebeat.com)

Posted by msmash on from the security-woes dept.

A vulnerability in Telegram has exposed the data of millions of people in Iran. Hackers in the country have compromised dozens of accounts by an SMS redirection hack, and also identified phone numbers of 15 million users, according to a report on Reuters. From the report: The attacks, which took place this year and have not been previously reported, jeopardized the communications of activists, journalists and other people in sensitive positions in Iran, where Telegram is used by some 20 million people, said independent cyber researcher Collin Anderson and Amnesty International technologist Claudio Guarnieri, who have been studying Iranian hacking groups for three years.As for the attack, hackers aren't targeting the encryption that protects messages between accounts, but how a phone number is tied to an account. When a user adds a new device to their Telegram account, the new device is confirmed through a one-time SMS message. Hackers are intercepting that SMS and cloning the data to a compromised device.

Update: Telegram reached out to Slashdot on Twitter with a link to a blog post that included:
Certain people checked whether some Iranian numbers were registered on Telegram and were able to confirm this for 15 million accounts. As a result, only publicly available data was collected and the accounts themselves were not accessed. Such mass checks are no longer possible since we introduced some limitations into our API this year. However, since Telegram is based on phone contacts, any party can potentially check whether a phone number is registered in the system. This is also true for any other contact-based messaging app (WhatsApp, Messenger, etc.). Read the rest of Telegram's official statement, including SMS codes allegedly being intercepted, here.

15 of 47 comments (clear)

  1. "A vulnerability in Instagram"??? by Anonymous Coward · · Score: 1

    Editors need more coffee, as evidenced by this mistake.

    On the other hand, if a vulnerability in Instagram resulted in a Telegram break-in, then I really should destroy my Instagram account right now.

    1. Re:"A vulnerability in Instagram"??? by monkeyzoo · · Score: 1

      Instagram or Telegram? Get your damn story straight /.

    2. Re:"A vulnerability in Instagram"??? by K.+S.+Kyosuke · · Score: 1

      Agile development is so fast these days that the names change even as you're writing!

      --
      Ezekiel 23:20
  2. Re:Why require a phone number in the first place? by b0bby · · Score: 1

    From TFA:

    A spokesman for Telegram said customers can defend against such attacks by not just relying on SMS verification. Telegram allows — though it does not require — customers to create passwords, which can be reset with so-called “recovery” emails.

    “If you have a strong Telegram password and your recovery email is secure, there’s nothing an attacker can do,” said Markus Ra, the spokesman.

    So, they don't require it. One could argue that they shouldn't even allow it, though.

  3. Re:Why require a phone number in the first place? by Frosty+Piss · · Score: 1

    So, they don't require it. One could argue that they shouldn't even allow it, though.

    Perhaps they have a practical reason related to the type and location of many of their customers.

    As well, you could say "perhaps they should not let morons use their service", but that doesn't work either, eh?

    --
    If you want news from today, you have to come back tomorrow.
  4. Re:Why require a phone number in the first place? by Ash-Fox · · Score: 1

    Why the fuck don't they let people register with a username and password and use that?

    Because it's based on the same identification scheme VK uses. Also, you can set a password if you want, which wouldn't be vulnerable to the mentioned issue in the summary.

    --
    Change is certain; progress is not obligatory.
  5. What Slashdot didn't say is ... by Mondor · · Score: 4, Informative

    It's about Telegram, not Instagram. And all 15 million users were from Iran. Hence the problem was in SMS provider in Iran, not just in Telegram. Could be even the government. That is - IF such hack indeed happened. NSA hates Telegram, so I wouldn't be surprised if it's early April fools.

    1. Re:What Slashdot didn't say is ... by Mondor · · Score: 2

      Oh, and before we go any further, here is the official reply from Telegram:

      "Certain people checked whether some Iranian numbers were registered on Telegram and were able to confirm this for 15 million accounts. As a result, only publicly available data was collected and the accounts themselves were not accessed. Such mass checks are no longer possible since we introduced some limitations into our API this year.

      However, since Telegram is based on phone contacts, any party can potentially check whether a phone number is registered in the system. This is also true for any other contact-based messaging app (WhatsApp, Messenger, etc.)."

      https://telegram.org/blog/15mi...

  6. Well deserved by Khyber · · Score: 1

    Handing out your phone number for an IM service is just asking for shit like this to happen. Telegram exposed themselves to this kind of attack due to their sheer arrogance in thinking the cellular system was secure by any means.

    Smart in using encryption, stupid in explicitly trusting a network.

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    1. Re:Well deserved by OrangeTide · · Score: 1

      I remember when my phone number was listed in a public directory known as a "Telephone Book". Anyone with access to a "Pay Phone" could read this "Telephone Book" and determine my phone number and home address. (the reverse of looking up my name and address using my phone number was harder as the book was physically printed on trees and could not be re-indexed or accessed electronically by the average person)

      --
      “Common sense is not so common.” — Voltaire
    2. Re:Well deserved by Khyber · · Score: 1

      XMPP/Jabber is much safer, especially run through Pidgin with OTR, you ignorant fuckwit.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  7. Re:/\/\/\ Speaking of Hax0rz \/\/\/ by Anonymous Coward · · Score: 1

    It took 15 minutes to view?

    nooo. unhidden.

    you fuckers. some agency is monitoring this site.

    If this is not seen I will send a screenshot to the EFF.

  8. Re:/\/\/\ Speaking of Hax0rz \/\/\/ by Anonymous Coward · · Score: 1

    Do you have discount codes for the tinfoil hat store?

  9. 2fa not helping by amias · · Score: 1

    Suggesting that 2fa would have helped here is not helpful. This happened because an Iranian phone company was hacked, using 2fa via SMS is not going to achieve anything when the phone conpany is not trustable.

    --
    [site]
  10. Re:Why require a phone number in the first place? by b0bby · · Score: 1

    AC is correct - I misread. The number is required. I guess you'd want to get a throwaway SIM of a disposable VOIP number for the initial setup, then set the password. Probably harder to do that in Iran than here though.