[akoster]

Though my heart goes out for what happened to Rina, despite her claims that the 6 group chat participants were careful, I resonate with this reply [0]. Most likely, one of her group chat participants may have left a web or desktop session logged in to a public pc or that of a friend or family member who's home may have been raided by the authorities, allowing them access to a logged in session. Another option is they may have done so via malware [1] or a fake site [2]. Or since the government may work closely with mobile operators a SS7 attack [3] or even having an employee of a mobile operator redirect a login text message may all be in the cards and much more accessible than a pricey Pegasus or other mobile attack vector as Rina suggests.

I highly recommend to everyone using Telegram (or other web services) to enable their 2nd factor authentication [4]. This combined with reviewing your active sessions and the Telegram channel for login notifications can allow you to defeat any of the above attacks (with the possible exception of the recovery@telegram.org email service?)For Telegram, this will prompt for a password in addition to the required code sent to another active Telegram session or if not, via SMS. You can provide an email address for recovery purposes or avoid that entirely (which may be a problem if this password is forgotten).

In addition, recently I was prompted in the Telegram settings pane to confirm my number has not changed, and that I still remember my password, even providing a way to test it. I am not sure what would happen if I said I forgot it (would I be allowed to reset it? would all other active sessions be signed out?) but it seems the Telegram team is making an effort to keep users safe in light of attacks on SMS.

[0] https://twitter.com/white_shy/status/1518908527934423040 [1] https://www.zdnet.com/article/telegrab-malware-hijacks-teleg... [2] https://usa.kaspersky.com/blog/telegram-accounts-stealing/14... [3] https://www.bleepingcomputer.com/news/security/hackers-hijac... [4] https://telegram.org/blog/sessions-and-2-step-verification