Telegram’s built-in contact import feature was exploited to leak the personal data of millions of users onto the darknet.

Telegram, a major privacy-focused messaging app, has suffered a data leak that exposed some personal data of its users on the darknet.

A database containing the personal data of millions of Telegram users has been posted on a darknet forum. The issue was first reported by Russian-language tech publication on June 23.

According to the report, the database contains phone numbers and unique Telegram user IDs. It remains unclear exactly how many users’ data was leaked while the database file is about 900 megabytes.

About 40% of entries in the database should be relevant

Telegram has reportedly acknowledged the existence of the leaked database to The database was collected through exploiting Telegram’s built-in contacts’ import feature at registration, Telegram reportedly said.

Telegram noted that data in the leaked database is mostly outdated. According to the report, 84% of data entries in the database were collected before mid-2019. As such, at least 60% of the database is outdated, Telegram declared in the report. 

Additionally, 70% of leaked accounts came from Iran, while the remaining 30% were based in Russia.

At press time, Telegram has not responded to Cointelegraph’s request for comment. This article will be updated should they respond.

Just the latest leak

This is not the first instance of Telegram users’ phone numbers being leaked. In August 2019, Hong Kong activists reported on a vulnerability that exposed their phone numbers, allowing Chinese law enforcement agencies to track protesters’ identities.

In response to the vulnerability, Telegram expanded user privacy tools in September 2019. Specifically, Telegram introduced a feature allowing users to show their phone number to nobody at all. The feature’s description reads:

“If you set Who Can See My Phone Number to ‘Nobody’, a new option will appear below, allowing you to control your visibility for those who already have it. Setting Who Can Find Me By My Number to ‘My Contacts’ will ensure that random users who add your number as a contact are unable to match your profile to that number.”

The report comes soon after Russian authorities lifted the two-year ban on Telegram app in the country. Subsequently, some reports outlined certain anomalies on Telegram that purportedly compromised the security of its customers.

Source: cointelegraph