Iranian hackers compromised secure internet messaging app Telegram, accessing the accounts of nearly 15 million Iranian users, cyber researchers told Reuters Tuesday.
The hacking compromised the accounts of several activists, journalists and other important people in Iran. Independent cyber researcher Collin Anderson and Amnesty International technologist Claudio Guarnieri said that the hacking occurred this year.
The attack reportedly targeted Telegram’s one-time SMS activation and not its end-to-end encryption. Telegram sends an SMS with a verification code to users who want to log in to the app from a new device. The SMS can be intercepted by phone companies and sold to hackers who can then access the user’s contact list and archived messages.
“We have over a dozen cases in which Telegram accounts have been compromised, through ways that sound like basically coordination with the cellphone company,” Anderson said.
Telegram spokesman Markus Ra said that users can avoid the SMS verification by creating passwords that can be reset with “recovery” emails. “If you have a strong Telegram password and your recovery email is secure, there's nothing an attacker can do,” Ra said.
The cyber researchers added that the hacking targeted political activists who were involved in opposition organizations but refused to reveal names, fearing for their safety. “We see instances in which people... are targeted prior to their arrest,” Anderson said, “We see a continuous alignment across these actions.”
The Telegram team released a statement Tuesday saying that only publicly available data was collected and the private accounts weren’t accessed. “However, since Telegram is based on phone contacts, any party can potentially check whether a phone number is registered in the system. This is also true for any other contact-based messaging app,” the statement said.
Telegram also said that the 2-step verification process was set up to prevent interception of the SMS verification. “This is hardly a new threat as we've been increasingly warning our users in certain countries about it. Last year we introduced 2-Step Verifications specifically to defend users in such situations,” the statement said.
Telegram is a cloud-based instant messaging service that boasts of nearly 100 billion active users and is used by nearly 20 million people in Iran.