-
An underground market seller claims to possess millions of records of Telegram users, including usernames, phone numbers, IP addresses, session data, and chat metadata, though the authenticity remains unverified.
-
Similar claims against SK Telecom in September last year proved completely false, the company confirmed, after analysis, that no data breach occurred internally.
-
Telegram users should follow online safety measures to protect against potential account takeovers.
A cybercriminal on an underground forum has posted an advertisement claiming possession of a massive database belonging to Telegram users. The threat actor alleges the stolen information includes approximately 28 million records.
The seller claims the dataset contains usernames, phone numbers, user IDs, profile names, bios, profile photos, contact lists, group and channel associations, chat-related metadata, session login information, device information, IP addresses, and last online activity data. The post presents the information as available for download.
Security researchers urge caution about these claims; dark web data listings often prove exaggerated or contain recycled material from older breaches, as the authenticity and origin of the alleged Telegram dataset remain unconfirmed at this stage.
Previous Telegram Data Claims Turned Out to be False
A similar incident occurred in September last year, that was when hackers claimed to breach SK Telecom and steal 27 million subscriber records. The criminals posted sample data on Telegram channels and demanded contact for negotiations.
SK Telecom conducted a thorough investigation after the claims surfaced. The company analyzed the sample data, website capture screens, and FTP screens posted on the dark web. Officials determined that all content was completely false, including a website that did not even exist within the company.
The hackers threatened to disclose all subscriber data if SK Telecom refused to contact them. The business held fast and assured that no internal data leak of such a size took place. Security analysts hypothesized that the hackers may have sought publicity, as part of a scam, through another known hack in the past.
Following SK Telegram’s announcement, the associated Telegram channel quickly shut down, refuting the claims. The Korean government’s Ministry of Science and ICT staged an investigation to determine the truth behind these allegations.
Not all dark web data sale claims turn out to be fake, however. In a recent high-profile incident, hackers sold alleged source code belonging to a target corporation on the dark web, and employees reportedly verified the authenticity of the leaked data. The case serves as a reminder that some dark web listings carry genuine, dangerous content. Read the full story, hackers sell alleged target source code on the dark web, and employees verify authenticity.
Telegram has Faced Increased Scrutiny Over Data Practices
Over the years, Telegram has been advertising itself as a messaging platform with privacy as its premise. However, there has been a major change in Telegram’s stated view of what constitutes a valid data request due to legal and political pressure resulting from the arrest of an executive affiliated with Telegram in a European country.
Telegram has begun expanding the interpretation of what is a valid data request after responding to requests with a court order from some major jurisdictions. The company started cooperating with a broader range of criminal investigations beyond terrorism cases. This now includes organized crime, cyber fraud, and large-scale digital marketplaces hosted on the platform itself.
Telegram’s cooperation with law enforcement has sharply increased following the subtler policy change. The United States received roughly 900 law enforcement-filled requests, affecting an estimated total of 2,253 users, much more highly concentrated between October and December. Also, France, India, and Brazil experienced similar increases in law enforcement requests.
In instances where Telegram received legally valid warrant requests for data collection, the company supplied phone numbers, IP addresses, and other associated device and connection metadata as well as time stamps showing the creation of associated sessions.
Most Telegram users operate in Cloud Chats rather than Secret Chats, meaning their conversations are stored on Telegram’s servers with encryption keys that the company controls.
How Telegram Users Can Protect Their Accounts
Security experts recommend enabling two-factor authentication on all Telegram accounts regardless of the current threat. Users should regularly review active sessions and connected devices through the app settings and revoke any unknown or suspicious sessions immediately.
Don’t use the same password for multiple online services; be aware of phishing messages that could lead you to fake Telegram login portals and try to steal your credentials. Verify the website address before entering login information anywhere.
If the information, such as session IDs and authentication artifacts, is accurate and has been published on the dark web, then the related risks will be highly significant. Therefore, it is highly likely that attackers will attempt account hijacking, impersonation, targeted phishing attempts, surveillance, and social graph analytics.
Your best line of defense will always be proactive security, enabling 2FA on your accounts, reviewing your active sessions, and not clicking on login links you received from unsolicited messages.
