In the aftermath of security researchers' claims that Iranian hackers have identified the phone numbers of 15 million users and compromised at least a dozen of accounts on the secure messaging service, Telegram has made a statement to explain what really happen.
Reuters reported this week that the hack attack in Iran was the "largest known breach" of Telegram's encrypted messenger. The hackers part of an Iranian group called "Rocket Kitten" performed their attack earlier this year but have kept the breach undisclosed until now.
The security researchers Collin Anderson and Claudio Guarnieri announced that they found a vulnerability within the Telegram communication system. Despites the fact that Telegram offers end-to-end encryption, hackers can access users' SMS text messages sent when new devices are signed into the service.
Anderson and Guarnieri discovered that t when a Telegram user logs into the messaging system from a new smartphone, the authorization codes sent via SMS can be intercepted by the phone company. Since in Iran communication providers are owned or monitored by the State, the data intercepted by the phone company might be shared with the country's law enforcement agencies and cyberattackers.
In response to those allegations, Telegram made a statement posted on the company blog. According to the company's statement, the Iranian accounts "were not accessed" and the only released information was already public domain.
According to ZDNet, Telegram added that since the recent introduction of limitations into the firm's API, such mass checks are no longer possible. The company clarified that since its messaging system is based on phone contacts same as other contact-based messaging apps like Messenger or WhatsApp, anyone can freely check whether a phone number is registered in the system.
According to Venture Beat, Telegram also commented that accessing accounts by intercepting SMS-verification codes is not a new threat. The company has already warned its users in various countries about this security risk. Telegram recommends using a registered email account to set up an additional code when setting up a new device, in order to prevent account compromise through SMS messages.