Telegram’s Privacy Reputation Under Scrutiny After Major Leaks and Vulnerabilities
Telegram, long marketed as a privacy-focused alternative to mainstream messaging apps, has faced growing scrutiny after a series of high-profile data exposures and security flaws revealed significant risks to users. Recent incidents including a massive data leak, a critical IP disclosure vulnerability, and account compromises have challenged the platform’s reputation for security.
The 200 Million Record Leak: A Crisis of Trust
In January 2025, a 44GB dataset containing over 200 million Telegram user records surfaced on a data leak forum. The exposed data included email addresses, phone numbers, and usernames information not publicly accessible under normal circumstances. While Telegram dismissed the leak as the result of contact-importing features, researchers confirmed the presence of non-public data, raising concerns about potential phishing, SIM-swapping, and credential-stuffing attacks.
The incident highlighted a key debate: whether the leak stemmed from a new breach or an aggregation of previously scraped data. Regardless of its origin, the exposure underscored the risks of large-scale data leaks, even when the platform itself isn’t directly compromised.
The One-Click IP Leak: A Silent Threat
In January 2026, security researchers disclosed a critical vulnerability in Telegram’s mobile apps that allowed attackers to expose users’ real IP addresses with a single click. The flaw, dubbed the "one-click IP leak," exploited Telegram’s MTProxy system a feature designed to bypass censorship. When users clicked a disguised proxy link (e.g., appearing as a username), the app automatically tested the connection, revealing their IP address before any warning appeared.
The vulnerability affected both Android and iOS users, enabling attackers to geolocate victims, identify ISPs, and potentially compromise operational security for journalists, activists, and corporate users. While Telegram acknowledged the issue and promised a warning prompt, the fix did not address the underlying architectural flaw.
The Handala Leak: Misunderstood Account Compromises
A separate incident involving the hacktivist group Handala further illustrated Telegram’s security challenges. The group claimed to have compromised iPhone devices of Israeli targets, but forensic analysis revealed the breaches were due to Telegram account takeovers not device-level hacks. This distinction highlighted a common misconception: Telegram’s encryption does not protect against account hijacking via SIM swapping, session hijacking, or social engineering.
Why Telegram Is a Prime Target
With over 900 million users including activists, journalists, businesses, and government officials Telegram has become a high-value target for cybercriminals. Its vast user base, combined with a 2024 policy shift allowing government access to user data under legal requests, has expanded its threat surface. Cybersecurity firms like NVISO have even recommended blocking Telegram’s API for businesses without a critical need, citing growing risks.
How Telegram Data Ends Up in Leak Forums
Leaked Telegram data often circulates through underground forums, where threat actors distribute datasets labeled as "Telegram user databases" or "scraped contact dumps." Some cybercrime groups even operate Telegram channels to share stolen credentials, creating a feedback loop where the platform’s own infrastructure aids in the spread of compromised data.
The Broader Implications
These incidents reveal a critical gap between Telegram’s privacy branding and the realities of securing a massive user base. While no platform is immune to leaks, the combination of mass data exposures, architectural vulnerabilities, and account compromises suggests that users must take proactive steps such as enabling two-factor authentication and scrutinizing links to mitigate risks.
As messaging platforms remain central to digital communication, the frequency and sophistication of Telegram-related leaks serve as a reminder that privacy promises are only as strong as the security measures behind them.
Source: https://www.dexpose.io/telegram-leaks/
Telegram Messenger cybersecurity rating report: https://www.rankiteo.com/company/telegram-messenger
"id": "TEL1773059780",
"linkid": "telegram-messenger",
"type": "Breach",
"date": "1/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '200 million+ (data leak), '
'unspecified (IP leak and '
'account compromises)',
'industry': 'Technology/Communication',
'location': 'Global',
'name': 'Telegram',
'size': '900 million+ users',
'type': 'Messaging Platform'}],
'attack_vector': ['Data Scraping',
'MTProxy Exploitation',
'SIM Swapping',
'Session Hijacking',
'Social Engineering'],
'customer_advisories': 'Users advised to enable 2FA, avoid suspicious links, '
'and monitor for account compromise signs.',
'data_breach': {'data_exfiltration': 'Yes (circulated on data leak forums)',
'number_of_records_exposed': '200 million',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (Personally Identifiable '
'Information)',
'type_of_data_compromised': ['Email addresses',
'Phone numbers',
'Usernames']},
'date_detected': '2025-01',
'date_publicly_disclosed': '2025-01',
'description': 'Telegram, long marketed as a privacy-focused alternative to '
'mainstream messaging apps, has faced growing scrutiny after a '
'series of high-profile data exposures and security flaws '
'revealed significant risks to users. Recent incidents '
'including a massive data leak, a critical IP disclosure '
'vulnerability, and account compromises have challenged the '
'platform’s reputation for security.',
'impact': {'brand_reputation_impact': 'Erosion of trust in Telegram’s privacy '
'claims; scrutiny from cybersecurity '
'firms and businesses',
'data_compromised': '200 million user records (email addresses, '
'phone numbers, usernames)',
'identity_theft_risk': 'High (exposed PII)',
'operational_impact': 'Increased risk of phishing, SIM-swapping, '
'and credential-stuffing attacks; potential '
'geolocation exposure for high-risk users '
'(journalists, activists, corporate users)',
'systems_affected': ['Telegram Mobile Apps (Android & iOS)',
'Telegram API']},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (Telegram user '
'databases and scraped '
'contact dumps)',
'high_value_targets': ['Journalists',
'Activists',
'Corporate Users',
'Government Officials']},
'investigation_status': 'Ongoing (partial fixes implemented; root causes not '
'fully addressed)',
'lessons_learned': 'Telegram’s privacy branding does not fully align with its '
'security realities; users must adopt proactive measures '
'(e.g., 2FA, link scrutiny) to mitigate risks. The '
'incidents highlight gaps in protecting non-public data '
'and architectural vulnerabilities in privacy-focused '
'platforms.',
'motivation': ['Data Exfiltration',
'Geolocation Tracking',
'Account Takeover',
'Phishing',
'SIM-Swapping'],
'post_incident_analysis': {'corrective_actions': ['Partial fix: Warning '
'prompt for MTProxy '
'vulnerability (no '
'architectural change)',
'Public statements '
'emphasizing user '
'responsibility for '
'security'],
'root_causes': ['Architectural flaw in MTProxy '
'system enabling IP leaks',
'Contact-importing features '
'exposing non-public data',
'Lack of robust account takeover '
'protections (e.g., SIM-swapping '
'vulnerabilities)',
'Policy shift allowing government '
'access to user data (expanded '
'threat surface)']},
'recommendations': ['Enable two-factor authentication (2FA) for all accounts',
'Scrutinize links before clicking, especially those '
'involving MTProxy or usernames',
'Businesses should assess the necessity of Telegram API '
'access and consider blocking it if not critical',
'Monitor for signs of SIM-swapping or account takeover '
'attempts',
'Telegram should implement architectural fixes for '
'MTProxy vulnerabilities and improve transparency around '
'data leaks'],
'references': [{'date_accessed': '2025-01', 'source': 'Data Leak Forums'},
{'date_accessed': '2026-01',
'source': 'Security Researchers (One-click IP Leak '
'Disclosure)'},
{'source': 'NVISO Cybersecurity Firm'}],
'response': {'communication_strategy': 'Public statements downplaying leaks; '
'emphasis on user responsibility for '
'security',
'containment_measures': 'Warning prompt added for MTProxy '
'vulnerability (partial fix)',
'remediation_measures': 'Acknowledged vulnerabilities; no '
'architectural changes disclosed'},
'stakeholder_advisories': 'Cybersecurity firms (e.g., NVISO) recommend '
'blocking Telegram API for businesses without '
'critical need due to growing risks.',
'threat_actor': ['Hacktivist Group (Handala)',
'Cybercriminals',
'Unknown (Data Leak Forum Actors)'],
'title': 'Telegram’s Privacy Reputation Under Scrutiny After Major Leaks and '
'Vulnerabilities',
'type': ['Data Leak', 'Vulnerability Exploitation', 'Account Compromise'],
'vulnerability_exploited': ['One-click IP leak via MTProxy',
'Contact-importing features']}