Telegram User Data From Earlier Leaks Found on Dark Web, Contact Import Feature Is to Blame
A 900-megabyte database of Telegram users’ phone numbers, nicknames, and unique identifiers has been found posted on one of the forums on the dark web. The exact number of affected accounts isn’t known but estimated to be in the millions.
According to a Russian-language outlet Kod Durova, about 70% of the accounts in the database belong to Iranian users and the remaining 30% to Russians. Telegram confirmed the leak and explained that the information was obtained through the contact import feature.
“Databases like this typically match phone numbers with user identifiers. They are created by exploiting the contact import feature during registration. Unfortunately, services that allow users to communicate with people from their phone contacts, can’t entirely avoid this method,” Telegram told the journalists.
Telegram representatives also said that the leaked information is mostly obsolete thanks to additional safeguards put in place by the developers in late summer 2019 as a response to surveillance of the Hong Kong protesters.
“Our analysis shows that 84% of these Iranian (70% of the database) and Russian numbers (30%) were collected before mid-2019. 60% of entries mention deleted accounts (as well as numbers that were changed and other outdated information),” the messenger representative told forklog.media, “One of the reasons for this is that we’ve significantly improved our anti-scraping algorithms in summer 2019. We’ve also added a setting to specifically address this issue during the Hong Kong protests: “Who can add me by my phone number” (see Privacy & Security > Phone number, set to Nobody).”
The database in question turned out to be the combination of several previously leaked batches of data amounting to about 40 million lines in total. Part of the data came from a leak that took place in early May 2020 and another 12 million entries associated with Russian phone numbers have been reportedly obtained in April 2020.
“[T]he database only contains connections between phone numbers and user ids on Telegram: no passwords, no messages or other sensitive data are present. No accounts have been accessed,” Telegram representative noted.
Touted as a privacy-focused messenger, Telegram gets a lot of heat from the community for the apparent lack of basic features such as not having end-to-end encryption for groups and limiting it to personal secret chats.
Since the messenger is popular in places where free speech is suppressed, political dissidents, journalists, and other potentially wanted people end up using it as the means of pseudonymous and somewhat secure communication. The problem with the contact import feature is that it allows attackers to match users’ pseudonymous accounts with the associated phone numbers even if a user opted to hide the number. Having a person’s phone number may allow government agencies or hackers to obtain further information on the person: their name, calls history, rough locations, etc.
Notably, during the Hong Kong protests of 2019, users found out that this feature could let attackers join a protesters’ chat and unmask the phone numbers of all its members. A bad actor just needed to feed a sequence of numbers to the messenger as “contacts” from their phone book and wait until it finds a match with someone’s account.
“There is no bug: just like WhatsApp or Facebook Messenger, Telegram is based on phone contacts. This means that you must be able to see your contacts who are also using the app,” Telegram spokesperson told ZDNet at the time, “The phone number settings control phone number visibility for users who don’t have your number (as opposed to WhatsApp showing your phone number to everyone else in any group).”
Still, even knowing the limitations of Telegram, the protesters couldn’t simply switch to a better option.
“Changing to a different app like Signal is not a viable option for us. Because the way the protestors communicate heavily depends on the support of very large groups […] in which Telegram has really good support,” Chu Ka-Cheong, Director at Internet Society Hong Kong Chapter, told ZDNet, “On the other hand, Signal and Wire groups are limited to a few hundred people, and Signal makes your phone number visible to everyone anyway.”
Protesters figured that for the lack of better options, using a “burner sim,” a sim card you can afford to expose, is the best way to keep using the messenger without exposing the main number and all the information associated with it.
Earlier, Russia’s internet censor Roskomnadzor lifted its ban on using Telegram inside the country after the messenger agreed to filter content that has to do with terrorism and extremism.
Edited to include comments by Telegram representatives
Subscribe to our Newsletter<
- Data Brokers: How Law Enforcement Rely on Inaccurate Data to Supplement Investigations
- Messenger App Steals User Data and Hacks Their Devices, ESET Research
- What Prompted Sudden Truce Between Telegram and Russian Watchdogs: Main Theories
- Hacker Group Targeting Fintech Companies and Personal Data Has Been Under Radar For Years, NOD32 Developer Finds
- Stalkerware Usage in on the Rise as Domestic Violence Rates Surge During Lockdown
- Former Yahoo! Engineer Who Hacked 6,000 Email Accounts Looking for Sexually Explicit Media Avoids Jail
- Secure Identity Expert Explains How Cryptography Gives Us Power Over Personal Data
- Eastern European Hacker Group Stole $200m From Crypto Exchanges via Supply-Chain Attack