Protect What Matters
Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.
Telegram Data Breach
In 2016, attackers exploited Telegram's contact import API to scrape the phone numbers and user IDs of millions of users, an incident that disproportionately affected users in Iran. Separately, in June 2024, a massive composite credential dataset containing 361 million email addresses collected from Telegram cybercrime channels where stolen credentials are routinely traded was added to the Have I Been Pwned (HIBP) breach notification service.
This second dataset was not derived from Telegram's infrastructure at all; Telegram was the distribution channel for stolen credentials from breaches elsewhere, not the source of the breach. Together, these incidents illustrate two very different threats: API abuse that exposes platform metadata, and the use of encrypted messaging apps as marketplaces for credential theft.
Telegram Data Breach Explained: What Happened?
The 2016 API scraping incident occurred primarily in that year, with initial reports surfacing in August 2016, particularly affecting users in Iran. The full dataset from that incident was later circulated on dark web forums and a portion was leaked by the hacktivist group Handala Hack in 2020.
Separately and unrelatedly, in June 2024 not July 2020 the Have I Been Pwned service added a 361-million-record dataset of email addresses and passwords. This dataset was scraped from Telegram cybercrime channels where stolen credentials are shared as "combolists" by threat actors. The data in this set originated from credential-stuffing attacks, data breaches at other services, and password-stealing malware not from any Telegram API vulnerability.
When Did the Telegram Data Breach Happen?
The data collection occurred in 2016, but the full scope and impact became widely known when the database of 361 million accounts was added to the Have I Been Pwned service in July 2020.
Who Hacked Telegram?
While the initial data scraping in 2016 wasn't attributed to a specific group, a pro-Palestinian hacktivist group known as "Handala Hack" later claimed responsibility for leaking a portion of the data. They presented the leak as a strike against Israeli citizens who used the platform. However, the identities behind the original API exploitation remain unconfirmed.
How Did the Telegram Breach Happen?
The attackers exploited a vulnerability in Telegram's contact import feature. By uploading a massive list of phone numbers to the API, they could determine which numbers were associated with active Telegram accounts and retrieve the corresponding user IDs. This process, known as data scraping, allowed them to build a large database connecting phone numbers to user profiles without ever breaking Telegram's end-to-end encryption.
Telegram Data Breach Timeline
2016 API Scraping Incident
2016: Attackers exploit Telegram's contact import API to enumerate which phone numbers are associated with active accounts, harvesting user IDs at scale.
August 2016: Reports surface about the vulnerability, particularly affecting Iranian users. Telegram acknowledges the issue but characterizes the data as already public.
Early 2020: A portion of the scraped data appears for sale on dark web forums.
June 2020: Hacktivist group Handala Hack claims to leak a subset of records targeting Israeli Telegram users.
Ongoing: Telegram implements API rate limiting to reduce further large-scale scraping. 2024 HIBP Combolist Dataset (separate, unrelated incident)
June 2024: An anonymous security researcher shares 122 GB of credentials scraped from thousands of Telegram cybercrime channels with Troy Hunt of Have I Been Pwned. The dataset contains 361 million unique email addresses alongside passwords and, in many cases, the websites the credentials belong to. Hunt adds the data to HIBP on June 4, 2024. This data originates from credential-stuffing attacks, third-party data breaches, and infostealer malware not from any vulnerability in Telegram's own systems. Telegram's role was as the distribution platform used by cybercriminals to share the stolen data.
August 2024 — Pavel Durov Arrest (see dedicated section below)
Technical Details
The core of the attack was a form of API abuse. Attackers automated the process of feeding phone numbers into Telegram's system to see which ones registered a "hit" for an active account. Once an account was identified, the API returned the user's public-facing information, including their user ID. The attackers didn't need to decrypt messages or compromise servers; they simply abused a legitimate feature at a massive scale to harvest publicly available data points.
Indicators of Compromise (IoCs)
Since this was not a traditional malware-based attack, there are no specific hashes, malicious IP addresses, or domains associated with the breach itself. The primary indicator was the mass enumeration of user accounts via the API, which would have appeared as a high volume of contact-related requests from a limited set of sources.
Forensic and Incident Investigation
Investigations revealed that Telegram's end-to-end encryption was never compromised. The incident was a result of data scraping, not a direct hack of Telegram's infrastructure. In response, Telegram acknowledged the issue but argued that the information exposed was already public for users who hadn't adjusted their privacy settings. They later implemented measures to limit the rate of API requests to prevent similar mass-scraping events.
Data Breach Guide
Our data breach guide breaks down how breaches happen, what they really cost, and, most importantly, how you can stop them from gutting your business.
What Data Was Compromised in the Telegram Breach?
The two incidents exposed fundamentally different types of data and must be described separately.
2016 API Scraping Incident: The data exposed here was specific to Telegram accounts — phone numbers used to register Telegram accounts, and the corresponding Telegram user IDs. This connected real-world identities to Telegram profiles. No message content was exposed.
June 2024 HIBP Combolist Dataset: This dataset did not contain Telegram-specific account data. It contained 361 million unique email addresses, alongside passwords and, in many cases, the website the data pertains to. The stolen data was sourced from credential-stuffing attacks, password-stealing malware, and prior data breaches at other services — shared and aggregated in Telegram cybercrime channels. The email addresses and passwords in this set belong to accounts at third-party services, not Telegram accounts specifically
How Many People Were Affected by the Telegram Data Breach?
The scale differs by incident. The 2016 API scraping is estimated to have exposed around 15 million phone numbers tied to Iranian Telegram users, along with an unknown number of accounts globally. A subset of Telegram users in other countries was also affected.
The June 2024 HIBP combolist is a different matter entirely. The dataset comprised 1,700 files with 2 billion lines and 361 million unique email addresses, of which 151 million had never been seen in HIBP before. However, this figure represents credentials from breaches across many services, aggregated and distributed via Telegram channels — it is not a count of Telegram accounts compromised.
Was My Data Exposed in the Telegram Breach?
You can check if your data was part of this breach by visiting the website HaveIBeenPwned.com and entering your phone number. This service tracks publicly known data breaches and can tell you if your information was included in the Telegram dataset.
Key Impacts of the Telegram Breach
The breach had several significant consequences, despite no message content being leaked:
Loss of Anonymity: For activists, journalists, and others relying on Telegram for privacy, the connection of their phone number to their account was a major security risk.
Targeted Attacks: Threat actors could use the leaked data to launch targeted phishing campaigns, smishing (SMS phishing) attacks, or social engineering schemes.
Reputational Damage: The incident damaged Telegram's reputation as a completely secure and private messenger, highlighting that user metadata can be just as sensitive as message content.
Increased Physical Risk: In authoritarian regimes, linking a dissident's phone number to their Telegram account could lead to arrest and persecution.
Response to the Telegram Data Breach
Telegram's response was criticized by some as dismissive. The company stated that the ability to find users by phone number was a feature, not a bug, and that users could protect themselves via privacy settings. They did, however, add limitations to the API to make large-scale scraping more difficult. No widespread notification was sent to affected users; instead, the breach became public knowledge through security researchers and media reports.
Lessons from the Telegram Data Breach
This incident offers some solid takeaways for both users and developers. You can't just focus on one flashy security feature and call it a day.
Metadata is as Important as Data: Even without message content, knowing who is talking to whom can be incredibly sensitive. Protecting metadata is critical.
APIs are a Major Attack Surface: Developers must implement rate limiting and other controls to prevent abuse of legitimate API functions.
Default Privacy Settings Matter: Users shouldn't have to be security experts to be safe. Secure-by-default settings are a must.
Proactive Threat Hunting is Key: Organizations need to look for unusual activity, like mass data scraping, not just wait for a server to get popped.
Is Telegram Safe after the Breach?
Telegram has taken steps to mitigate the specific API vulnerability that led to this breach. The platform's end-to-end encryption for "Secret Chats" remains strong. However, users should be aware that their phone number and other profile information can still be exposed if they don't configure their privacy settings properly. The platform is safer against this specific scraping attack, but users still need to be proactive.
Separately from the API scraping history, the August 2024 arrest of CEO Pavel Durov and Telegram's subsequent policy update significantly changed the privacy calculus for users. Telegram now provides user IP addresses and phone numbers to authorities in response to valid legal requests — a policy that did not exist before Durov's arrest. Users who previously chose Telegram specifically for its resistance to government data requests should be aware that this posture has changed materially. For high-risk users, evaluating alternatives such as Signal (which uses end-to-end encryption by default for all messages) is worth serious consideration.
Mitigation & Prevention Strategies
Protecting your organization from similar data scraping incidents and other threats requires a layered approach. It's not about one magic tool; it's about smart, overlapping defenses.
Multi-Factor Authentication (MFA): Always enable MFA on all accounts. It’s one of the most effective ways to stop unauthorized access, even if your credentials leak.
Patch Management: Keep all software, applications, and systems updated. The bad guys love to exploit old, known vulnerabilities.
Security Information and Event Management (SIEM): Use a SIEM to collect and analyze logs from across your network. This helps you spot weird patterns, like API abuse, before they become a full-blown breach.
Continuous Monitoring: You can't protect what you can't see. 24/7 monitoring of endpoints, servers, and network traffic is non-negotiable for catching threats in the act.
Security Awareness Training: Teach your team how to spot phishing emails and social engineering tactics. A well-trained employee is a powerful line of defense.
Related Data Breach Incidents
MOVEit Data Breach
Okta Data Breach
MGM Data Breach
Related Educational Articles & Videos
Incident Response: Learn how to build a plan for when things go wrong.
Managed Detection and Response (MDR): Discover how 24/7 monitoring can stop attackers in their tracks.
Security Awareness Training: Find out how to turn your team into a human firewall.
Telegram Data Breach FAQs
The breach happened because of a flaw in Telegram's API that allowed attackers to upload millions of phone numbers to see which ones were linked to active accounts. This let them scrape user IDs and phone numbers on a massive scale without ever breaking the app's encryption.
The exposed data included users' phone numbers, Telegram user IDs, and usernames. The content of messages was not compromised, but the leak made it possible to connect real-world phone numbers to specific Telegram accounts.
The original scraping attack in 2016 was not attributed to a specific group. However, a hacktivist group called "Handala Hack" later claimed responsibility for leaking a subset of the data in 2020 as part of a politically motivated campaign.
Businesses can protect against similar threats by implementing rate limiting on APIs to prevent scraping. It's also critical to use multi-factor authentication, conduct regular security audits, and continuously monitor network activity for unusual patterns that could indicate an attack.
