Telegram’s built-in contact import feature was exploited to leak the personal data of millions of users onto the darknet.
Telegram, a major privacy-focused messaging app, has suffered a data leak that exposed some personal data of its users on the darknet.
According to the report, the database contains phone numbers and unique Telegram user IDs. It remains unclear exactly how many users’ data was leaked while the database file is about 900 megabytes.
About 40% of entries in the database should be relevant
Telegram has reportedly acknowledged the existence of the leaked database to Kod.ru. The database was collected through exploiting Telegram’s built-in contacts import feature at registration, Telegram reportedly said.
Telegram noted that the data in the leaked database is mostly outdated. According to the report, 84% of data entries in the database were collected before mid-2019. As such, at least 60% of the database is outdated, Telegram declared in the report.
Additionally, 70% of leaked accounts came from Iran, while the remaining 30% were based in Russia.
All phone-based apps are vulnerable to this type of attack, Telegram says
Speaking to Cointelegraph, a spokesperson at Telegram highlighted that the reported vulnerability is a major problem for all contact-based messengers. This includes the company’s biggest rival, WhatsApp. The representative said:
“Like other phone-based messengers (Facebook Messenger, WhatsApp, Viber), Telegram allows you to see which of your contacts are also using the app. Unfortunately, any contacts-based app faces the challenge of malicious users trying to upload many phone numbers and build databases that match them with user IDs – like this one.”
The spokesperson also emphasized that the leaked database only contains connections between phone numbers and Telegram user IDs and no accounts have been accessed. “No passwords, no messages or other sensitive data are present,” Telegram elaborated.
Just the latest leak
This is not the first instance of Telegram users’ phone numbers being leaked. In August 2019, Hong Kong activists reported on a vulnerability that exposed their phone numbers, allowing Chinese law enforcement agencies to track protesters’ identities.
In response to the vulnerability, Telegram expanded user privacy tools in September 2019. Specifically, Telegram introduced a feature allowing users to show their phone number to nobody at all. The feature’s description reads:
“If you set Who Can See My Phone Number to ‘Nobody’, a new option will appear below, allowing you to control your visibility for those who already have it. Setting Who Can Find Me By My Number to ‘My Contacts’ will ensure that random users who add your number as a contact are unable to match your profile to that number.”
The report comes soon after Russian authorities lifted the two-year ban on Telegram app in the country.