IT Week describes how fraudsters hack into personal Telegram accounts by gaining access to their owners’ mobile numbers and gives tips on how to protect yourself from this.
The story of one hack
Nothing boded ill that Monday. It was an eventful day, and when I received a message from one of my Telegram contacts asking me to vote in a children’s drawing contest, I didn’t immediately pay attention to it. To be honest, I didn’t know the person behind this contact very well, and I didn’t even know if she had children, but the request didn’t seem suspicious to me either. The message included a link to a website, which I clicked on to vote.
There was indeed a voting panel on the site, but to cast a vote, I had to log in. “It makes sense,” I thought, because the site was supposed to somehow prevent repeat voting. To authorize the site, I was asked to enter my phone number in the appropriate format and then confirm it with a code sent via SMS.
After completing these steps, I quickly voted for the desired drawing and closed the site. Nothing suspicious happened for the rest of the day. Problems began the next day when I was “thrown out” of Telegram, and when I tried to log in again, I received the message “Too many login attempts!”
I put off this task for a while, even though I suspected something was wrong. But when my friends started asking me through other communication channels what had happened to me and why I was suddenly asking them for large sums of money, I finally realized that my Telegram had definitely been hacked.
Reconstruction of events
As it turned out later, my friend’s account, from which the link with the offer to vote in the children’s drawing contest came, was also hacked. That’s why fraudsters from his Telegram account sent phishing messages to his contact list.
When I entered my phone number on the website of the so-called contest and then an SMS to confirm it, cybercriminals read the data from the site and entered the same number and code on the official website of the messenger to log into Telegram under my account.
Of course, if I had realized in time that I had been hacked, I could have selected the “Active Sessions” item in the Devices section of the app and clicked “End all other sessions”. This way, I would have kicked the scammers out of my Telegram account.
But I didn’t pay attention to any warning messages in the messenger, and the criminals waited 24 hours and then kicked me out of my own account. Let me remind you that the application’s security measures are configured in such a way that all other active sessions can be terminated only if at least 24 hours have passed since the login.
This way, the attackers were able to terminate other sessions and take full control of my Telegram. After doing so, they started sending messages to my contact list asking me to lend them money. At the same time, on another computer, the criminals’ bot constantly repeated “failed attempts” to log in to my account – this was done in order to trigger a flood_wait event (a temporary ban on performing any actions for a specific account) and make it very difficult for me to log in again.
What I did to restore my account
In fact, the first thing I did after realizing that I had been hacked was to send a warning to my friends through other channels that my TG was hacked and that they should not respond to any requests from my account.
Since I still had my phone number, I could try to restore my account through the website https://web.telegram.org/k/. To do this, I had to enter my number and authorization code. If I had managed to stay logged in for 24 hours in a row, I could have ended other active sessions and thus regained control of my Telegram. However, the scammers noticed in time that I had opened a new session and forcibly closed it. Several days of trying to do this did not bring any results.
So I had two options. Either wait until the attackers conclude that they have already received all the possible benefits from my account and no longer need it. Or I can try to delete it and create it again after a while. Of course, then I’ll lose the entire message history, and I’ll have to add contacts all over again, but what can you do? Fortunately, I was not the sole owner of the Telegram groups and channels, because if you delete your account, all these groups will be left without an owner forever, and no one will be able to manage them.
To delete your account, please follow the link: https://my.telegram.org/auth?to=delete. It is more convenient to perform this procedure in a browser on a computer rather than from a phone. You should also keep in mind that the confirmation code for deletion does not come in an SMS, but in an internal message directly in Telegram.
So, I opened two pages in my browser. The first one is authorization in Telegram. The second is deleting an account in the messenger. My task was to log in to the application and immediately, before the fraudsters closed my session, submit a request to delete my account.
Since I had to act very quickly, I pre-entered my phone number on the deletion page, but did not click the “Next” button until I logged into Telegram on my computer. Then I switched to the deletion page, clicked Next, then went back to the page, logged in, and waited for the confirmation code to arrive. When it arrived, I quickly took a screenshot (in case the attackers closed my session before I could copy the code), and then entered the code to confirm the deletion.
Basically, that was the end of the story with the hacking of my account. The same day in the evening, I re-registered my Telegram account to the same phone number and am now gradually restoring my contact list.
A few caveats for the future
So, in order not to lose your account in TG or any other messenger, do not accept files, do not open any links from unfamiliar users or even friends, unless you have agreed on such things in advance!
If you do click on a suspicious link, do not enter any data or access codes until you are sure that the SMS you received is not an access code to one of your messengers or your bank account. Usually, the SMS itself will say what the access code is for.
If you receive a notification in Telegram about unauthorized access to the application on another device, immediately go to Settings > Privacy > Devices in the menu. If there are unfamiliar devices in the list, delete such sessions from the list. To log out of all devices except the current one, click End all other sessions.
You can also set a local passcode for the app to protect your account, and be sure to set or change an additional 2FA password: Privacy > Two-Step Authentication (or Cloud Password). Don’t forget to specify an email to recover your password in the future.
