Encrypted-messaging app Telegram suffered a massive data leak that exposed the personal data of millions of users. A rival to WhatsApp, Telegram allows customers to privately exchange end-to-end encrypted texts, calls, voice notes, and videos. But vulnerability in its contact import feature compromised millions of records, including phone numbers and user IDs, which were then leaked onto the darknet.
Russian tech publication Kod.ru was the first to report the issue, saying that personal information like user identities and phone numbers have been posted on a darknet forum. The database file size is about 900 megabytes. According to reports, the messenger app service acknowledged the existence of a data breach, which occurred after exploiting the built-in contacts import feature during registration.
However, the company added that most of the records are outdated, with 84% of data entries collected before mid-2019. Furthermore, the majority of accounts in the database contain irrelevant information. Telegram also revealed that 70% of the exposed accounts were from Iran, while the remaining 30% belonged to users from Russia.
A company spokesperson told Cointelegraph that the contact import vulnerability is a cause of concern to every similar messaging app, including competitors WhatsApp. “Unfortunately, any contacts-based app faces the challenge of malicious users trying to upload many phone numbers and build databases that match them with user IDs – like this one,” the representative expressed.
They also added that the database only contained information on users’ phone numbers and Telegram IDs, with no data like passwords, messages, or other sensitive information present. The spokesperson emphasized that the accounts weren’t breached.
Not the First Leak
The current data leak isn’t Telegram’s first rodeo. In August 2019, the company was at the center of controversy when a bug exposed the phone numbers of Hong Kong pro-democracy campaigners. The technical issue was found in the app’s group messaging feature, allowing Chinese authorities to identify and locate protesters.
Although China banned Telegram in 2015, pro-democracy supporters in Hong Kong managed to bypass restrictions and use the messaging app. Privacy-friendly Telegram is popular among the protesters because it conceals communications from the Chinese government’s intrusive eyes. However, it turned out that the bug can exploit public groups, thus exposing members’ phone numbers, even if they opted to keep them private.
Internet Society Hong Kong Chapter Director Chu Ka-cheong said that phone numbers have always been an issue with Telegram because it uses them as identifiers. Other secure messaging platforms do the same thing as well. But he admitted that they were surprised when they found out that setting who can see a phone number to Nobody “still allowed users who saved your phone number in the address book to match phone numbers to public group members.”
As a result of the data leak, Telegram rolled out a new feature in September 2019 that allows you to show your phone number to nobody at all. The new option ensures that “random users who add your number as a contact are unable to match your profile to that number.”
But as the latest leak shows, synching and importing contacts on Telegram remains an issue.
Several online sources offer tips on how to increase your online privacy, anonymity, and security. A VPN, for example, reroutes your traffic, changes your IP address, and encrypts your data.