Internet security researchers have told Reuters that earlier this year, hackers compromised over a dozen accounts on the Telegram instant messaging service, and ultimately identified the phone numbers of 15 million Iranian users. These attacks jeopardized the communications of activists, journalists and other people in sensitive positions in Iran, where the service is used by over 20 million people.
The attacks, which mark the largest known breach of Telegram’s encrypted communications system, have not yet been officially reported, said independent cyber researcher Collin Anderson and Amnesty International technologist Claudio Guarnieri, who have been studying Iranian hacking groups for three years. Telegram’s vulnerability, according to the researchers, lies in its use of SMS text messages to activate new devices.
The researchers explained that when users want to log on to Telegram from a new phone, the company sends them authorization codes via SMS, which can be intercepted by the phone company and shared with the hackers, the researchers said.
Armed with the codes, the hackers can add new devices to a person’s Telegram account, enabling them to read chat histories as well as new messages. “We have over a dozen cases in which Telegram accounts have been compromised, through ways that sound like basically coordination with the cellphone company,” Anderson said in an interview.
Telegram’s reliance on SMS verification makes it vulnerable in any country where cellphone companies are owned or heavily influenced by the government, the researchers said.
Berlin-based Telegram service claims to have over 100 million active subscribers, and is widely used in the Middle East, including the ISIS militant group, as well as in Central and Southeast Asia and Latin America.