Encrypted instantaneous messaging service Telegram has denied hackers breached its programs to realize the phone numbers of 15 million Iranian customers.
Checks on cellphone numbers had revealed “publicly obtainable information”, it mentioned.
But it surely admitted that hackers might have compromised greater than a dozen accounts by intercepting SMS verification codes however added this was not a “new menace”.
It mentioned customers in “sure nations” ought to use “two-step verification to guard your account with a password”.
Collin Anderson, a safety researcher working with human rights group Amnesty, mentioned hackers had “recognized” the cellphone numbers of 15 million Iranian customers and “compromised” greater than a dozen Iranian accounts.
They’d gained entry to the accounts after SMS codes despatched to customers wishing to go online to the service from a brand new cellphone had been “intercepted”, he mentioned.
Utilizing the codes, the hackers might add new gadgets to an individual’s Telegram account, enabling them to learn chat histories and new messaging, Mr Anderson mentioned.
The usage of SMS codes was a specific drawback in a rustic the place cellular firms have been owned or influenced by the federal government, he mentioned.
“We have now over a dozen circumstances through which Telegram accounts have been compromised by ways in which sound like principally co-ordination with the cell-phone firm,” he mentioned.
The assaults – by hacking group as Rocket Kitten, which usually carries out “a typical sample of spear-phishing campaigns reflecting the pursuits and actions of the Iranian safety equipment” – might have jeopardised the communications of activists, journalists and different customers in delicate positions in Iran, he added.
Telegram promotes itself as an ultra-secure instantaneous messaging system with end-to-end encryption.
The service, which has its headquarters in Berlin, says it has 100 million energetic subscribers and is extensively used within the Center East, together with by the so-called Islamic State group.
In a blog post, the Telegram workforce denied that its programs had been breached.
“Sure individuals checked whether or not some Iranian numbers have been registered on Telegram and have been in a position to verify this for 15 million accounts,” it mentioned.
“In consequence, solely publicly obtainable information was collected and the accounts themselves weren’t accessed.
“Since Telegram is predicated on cellphone contacts, any occasion can doubtlessly verify whether or not a cellphone quantity is registered within the system.
“That is additionally true for another contact-based messaging app.”
On the difficulty of the doable interception of SMS codes, the corporate wrote: “We have been more and more warning our customers in sure nations about it, and final 12 months we launched two-step verification particularly to defend customers in such conditions.
“When you’ve got causes to assume that your cellular provider is intercepting your SMS codes, use two-step verification to guard your account with a password.
“In the event you do this, there’s nothing an attacker can do.”
Iranian officers have declined to remark, however have prior to now denied authorities hyperlinks to hacking.
Each Fb and Twitter are banned in Iran, and in Might the federal government ordered instantaneous messaging apps comparable to Telegram to retailer information about Iranian customers contained in the nation.
The Supreme Council of Our on-line world gave firms one 12 months to conform.