42 million records of Iranian users of unofficial Telegram fork leaked online

Security expert Bob Diachenko discovered that 42 million Iranian ‘Telegram’ user IDs and phone numbers have been leaked online.

Comparitech along with the popular researcher Bob Diachenko discovered 42 million Iranian ‘Telegram’ user IDs and phone numbers online.

The accounts belong to Iranian users, they are from a third-party version of the Telegram app.

Telegram is the most popular messaging app in Iran, with more than 50 million registered users nationwide. It’s used by dissidents and government opponents because its conversations can’t have eavesdropped.

Telegram was blocked permanently in early 2018 following local anti-government protests and civil unrest. Since 2018, many users continue the access it through proxies and VPNs, others use third-party unnofficial fork versions.

The data was published by a group called “Hunting system” (translated from Farsi) on an unsecured Elasticsearch cluster. The archive was shut down after Diachenko reported the incident to the hosting provider on March 25.

According to Telegram, the data came from an unofficial “fork” of Telegram, this is possible because the popular instant messaging app is an open-source application that allows third parties to develop their own versions. The availability of unofficial fork of the app is not surprising because the official Telegram app is frequently blocked in Iran.

“We can confirm that the data seems to have originated from third-party forks extracting user contacts. Unfortunately, despite our warnings, people in Iran are still using unverified apps. Telegram apps are open source, so it’s important to use our official apps that support verifiable builds.” a Telegram spokesperson told Comparitech.

The bad news is that other unauthorized parties might have accessed the data while it was exposed, experts reported that at least one user had posted the data to a hacker forum.

The exposed data poses a serious risk to users in a country like Iran, nation-state actor could use them to target specific individuals that use Telegram (or a fork of the instant messaging app) for surveillance purposes.

The exposed records included user data originating from Iran, such as User account IDs, Usernames, Phone numbers, Hashes, and secret keys.

The experts pointed out that hashes and secret keys can’t be used to access accounts.

“They only work from inside the account to which they belong, according to a Telegram spokesperson.” continues the post.

Below the timeline of the exposure:

• March 15: The database was indexed by search engine BinaryEdge
• March 21: Diachenko discovered the exposed data and began investigating
• March 24: Diachenko sent an abuse report to the hosting provider
• March 25: The Elasticsearch cluster was deleted.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – privacy, data leak)

[adrotate banner=”5″]

[adrotate banner=”13″]