Posted on 06-24-2020.
A 900-megabyte database of Telegram users’ phone numbers, nicknames, and unique identifiers has been found posted on one of the forums on the dark web. The exact number of affected accounts isn’t known but estimated to be in the millions. According to a Russian-language outlet Kod Durova, about 70% of the accounts in the database belong to Iranian users and the remaining 30% to Russians. Telegram confirmed the leak and explained that the information was obtained through the contact import feature.
“Databases like this typically match phone numbers with user identifiers. They are created by exploiting the contact import feature during registration. Unfortunately, services that allow users to communicate with people from their phone contacts, can’t entirely avoid this method,” Telegram told the journalists.Telegram representatives also said that the leaked information is mostly obsolete thanks to additional safeguards put in place by the developers in late summer 2019 as a response to surveillance of the Hong Kong protesters.
“Over 84% of the data have been collected before mid-2019. Most of the accounts in the database—no less than 60%—contain obsolete information. This shows that the last year we’ve been able to reduce the number of such exploitation cases,” the messenger representatives told Kod Durova.The database in question turned out to be the combination of several previously leaked batches of data amounting to about 40 million lines in total. Part of the data came from a leak that took place in early May 2020 and another 12 million entries associated with Russian phone numbers have been reportedly obtained in April 2020. Touted as a privacy-focused messenger, Telegram gets a lot of heat from the community for the apparent lack of basic features such as not having end-to-end encryption for groups and limiting it to personal secret chats. Since the messenger is popular in places where free speech is suppressed, political dissidents, journalists, and other potentially wanted people end up using it as the means of pseudonymous and somewhat secure communication. The problem with the contact import feature is that it allows attackers to match users’ pseudonymous accounts with the associated phone numbers even if a user opted to hide the number. Having a person’s phone number may allow government agencies or hackers to obtain further information on the person: their name, calls history, rough locations, etc. Notably, during the Hong Kong protests of 2019, users found out that this feature could let attackers join a protesters’ chat and unmask the phone numbers of all its members. A bad actor just needed to feed a sequence of numbers to the messenger as “contacts” from their phone book and wait until it finds a match with someone’s account.
"There is no bug: just like WhatsApp or Facebook Messenger, Telegram is based on phone contacts. This means that you must be able to see your contacts who are also using the app," Telegram spokesperson told ZDNet at the time, "The phone number settings control phone number visibility for users who don't have your number (as opposed to WhatsApp showing your phone number to everyone else in any group)."Still, even knowing the limitations of Telegram, the protesters couldn’t simply switch to a better option.
"Changing to a different app like Signal is not a viable option for us. Because the way the protestors communicate heavily depends on the support of very large groups [...] in which Telegram has really good support," Chu Ka-Cheong, Director at Internet Society Hong Kong Chapter, told ZDNet, "On the other hand, Signal and Wire groups are limited to a few hundred people, and Signal makes your phone number visible to everyone anyway.”Protesters figured that for the lack of better options, using a “burner sim,” a sim card you can afford to expose, is the best way to keep using the messenger without exposing the main number and all the information associated with it. Earlier, Russia’s internet censor Roskomnadzor lifted its ban on using Telegram inside the country after the messenger agreed to filter content that has to do with terrorism and extremism. Follow us on Twitter and Facebook and join our Telegram channel to know what’s up with crypto and why it’s important.