#Privacy: Over 40m Iranian Telegram user IDs exposed online


Security researchers have discovered 42 million records from a third-party version of messaging app Telegram online. 

The Comparitech team and Bob Diachenko discovered the exposed data on March 21, after it was posted on an Elasticsearch cluster with no password authentication. 

After contacting the hosting provider on March 24, the cluster was deleted a day later. However, by then one user had published the data on a hacking forum. 

The trove of data contained 42 million records from an “unofficial ‘fork’ of Telegram,” explained Comparitech. Exposed user data, originating from Iran, included user account IDs, usernames, phone numbers, hashes and secret keys. 

A Telegram spokesperson told Comparitech, “We can confirm that the data seems to have originated from third-party forks extracting user contacts. Unfortunately, despite our warnings, people in Iran are still using unverified apps. Telegram apps are open source, so it’s important to use our official apps that support verifiable builds.”

Although the hashes and secret keys can’t be used to access accounts, threat actors could use the other information to launch financially-motivated attacks. 

“SIM swap attacks are one example. A SIM-swap attack occurs when the attacker convinces a phone carrier to move a phone number to a new SIM card, allowing them to send and receive the victim’s SMS messages and phone calls. The attacker could then receive their one-time access verification codes, granting full access to app accounts and messages,” explained privacy advocate Paul Bischoff. 

In addition, users are at risk of targeting phishing attacks or scams. 

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/