42 Million Telegram User Records Were Posted on an Underground Forum

Unfortunately, it's not uncommon for information to be exposed without any signs of a data breach. Over the years, we've seen countless incidents where databases are connected to the internet, and the information in them becomes accessible without any form of authentication. You could even go as far as saying that the majority of leaks we read about are the result of misconfigured databases rather than any cybercriminal activity. Some exposures are more serious than others, and unfortunately, today, we'll talk about a leak that could have very severe consequences for the people involved.

More than 40 million Telegram users have had their data exposed

The discovery was made by a team of researchers from Comparitech led by Bob Diachenko, who is responsible for quite a few similar reports. On March 21, they found an Elasticsearch cluster that was accessible from anywhere in the world without a password. It had been posted by a group of cybercriminals who call themselves "Hunting system," and the researchers were interested to see what the crooks had exposed. When they opened the database, they found no fewer than 42 million records, each of which belongs to a different individual. All of the affected people are apparently based in Iran, and they have all used a version of the Telegram messaging application. The exposed data includes usernames, account IDs, phone numbers, and hashes and secret keys.

The Elasticsearch cluster was first indexed by the Binary Edge search engine on March 15, and it was taken down shortly after Diachenko filed an abuse report with the hosting provider. It stayed online for a little over ten days, but unfortunately, it would appear that this was enough for the data to fall into the wrong hands. According to Comparitech's report, "at least one" copy of the information has been posted on a hacking forum. So, many people are affected, and we know with absolute certainty that the data can be misused. What do victims need to look out for?

Iranian Telegram users can be especially vulnerable

To understand how serious the leak is, we must first know what Telegram is and how it's used all around the world. Telegram is an open-source instant messaging application that promises end-to-end encryption of all the communication that runs through it. Privacy-conscious people in many countries use it to ensure that nobody can sniff through their chats. Curiously enough, Iran is not one of those countries. At least not officially.

In 2018, the app was banned in the Middle Eastern country because its vision of a secure, private communication channel didn't coincide with the government's censorship regime. We must point out that the original Telegram app, the one that is banned, is not the source of the leaked data.

After the government ban, people in Iran started using third-party offshoots of the communication service. A Telegram spokesperson told Comparitech that the stolen data came from one or more of these applications.

Affected users should bear in mind that the leak doesn't pose an immediate threat to their accounts. Criminals can't log into people's accounts with the hashes and secret keys found in the database. They can, however, mount a SIM swapping attack against high-value targets, which can enable further criminal activity.

More worryingly, however, the leak exposes the Iranian citizens that are finding ways of using the Telegram service despite the fact that they're not allowed to do it. Given that we're talking about a country that is often criticized for its disregard of human rights, this is not good news.