Telegram prides itself on private messaging that lets activists escape government censorship and crackdowns, but it might have a crisis on its hands in Iran. Security researchers speaking to Reuters say that an Iranian hacking group has not only breached over a dozen Telegram accounts, but identified the phone numbers of over 15 million of the service's users in the country. The intruders reportedly intercepted SMS authentication codes and used those to add devices to their accounts, letting them read messages and impersonate others. To get the phone numbers, they took advantage of a Telegram programming interface.
It's not certain that the Iranian government is behind the attacks. However, the culprits (Rocket Kitten) have launched phishing campaigns that reflect official "interests and activities," according to the researchers. Also, the compromised targets included members of both opposition and reform groups -- and it's safe to say that some of those 15 million phone numbers could expose other activists and journalists.
So far, Telegram is portraying this as more a question of weak user security than a vulnerability. It tells Reuters that you can protect against these attacks by creating a strong password (which is strictly optional) that would add a layer of security. However, it raises a question: why aren't there security measures that could prevent this, such as making passwords mandatory? While this wouldn't solve all of Telegram's issues with Iran (the nation insists that companies store data in the country to facilitate censorship and spying), it would be an important start.