Earlier in the year, a mass culling of data from Telegram went unreported. You would think that a huge data breach, involving 15 million users to be exact, would be reported to somebody, rather than simply ignored until now. As it turns out, there's a reason for that. The information that was retrieved from Telegram's servers was all publicly available information, and when word got out recently, it caused a bit of an uproar. Telegram was forced to make a statement to dispel the panic, since the "attack" not only didn't manage to get any information that wasn't publicly available, but the exploit used in the mass scan has since been disabled in Telegram's APIs. A slightly more malicious hack took place, but it was not specific to Telegram.
The specifics of the exploit weren't revealed, but essentially, Iranian hackers used a tool to mass-scan phone numbers to see if they're on Telegram. After figuring out about 15 million telephone numbers that were on the service, the hackers then managed to get into upwards of a dozen accounts. The way they did it is tied to Telegram's activation method; to put a new device on an account, an SMS is sent. That SMS message can be intercepted by the phone company and shared with outside parties, allowing them to add any device they want to a Telegram account and view messages or pose as the user. While this sounds like a major breach of ethics, some hackers really do have friends in high places, like the ones behind this hack did.
The more serious hack is out of Telegram's hands, and could happen on just about any service that uses SMS for two-factor authentication. With the right connections in a mobile carrier's offices, enterprising hackers could get into just about anybody's Facebook, WhatsApp, or a number of other services that allow a user who's forgotten their password to get in via SMS. Telegram has long warned users of such vulnerabilities, and there's not much they can really do about it, much like the SS7 vulnerability in cellular networks that can let a hacker into a device with little more than their phone number. For now, Telegram has advised users to "Keep Calm and Send Telegrams".
