An Elasticsearch database holding 42 million records of Iranian Telegram users was found on the web, for anyone to access. The private data included phone numbers and user names, and it’s unclear how long it was exposed.

Despite heavy restrictions targeting the Telegram app in Iran, it remains one of the most-used communication platforms in the country.
Its end-to-end encryption technology allows users to talk among themselves
without anyone snooping on the conversation.

The fact that Telegram is open source is a problem, in this situation, because a number of forks have appeared in Iran, and some people
choose to install those instead of the official app. These forks are not as
secure, and the data they collect could end up the wrong place, which is
exactly what happened in this case.

The database was found by Comparitech and security researcher Bob Diachenko. Telegram confirmed that the data comes from third-party forks of their apps.

“We can confirm that the data seems to have originated from third-party forks extracting user contacts,” the company said. “Unfortunately, despite our warnings, people in Iran are still using unverified apps. Telegram
apps are open source, so it’s important to use our official apps that support
verifiable builds.”

It took 11 days for the database to be taken down, but the researchers say the data was accessed by other parties, including a hacker who reported the information to a specialized forum.

The database contained account IDs, usernames, phone numbers, and hashes and secret keys. The good news is the hashes and keys can only be accessed from inside the account of the user they belong to. It’s also
unclear what entities control the Telegram forks in Iran, and whether they are private or state-owned.