Telegram has long marketed itself as the privacy-first alternative to mainstream messaging apps. But a series of high-profile leaks and newly discovered vulnerabilities have fundamentally challenged that reputation, and the risks are far more layered than most users realize.
Telegram has built its reputation as a fast and privacy-focused messaging platform used by hundreds of millions of people worldwide. However, recent cybersecurity research and data exposure incidents have sparked conversations about Telegram leaks and how user information can sometimes appear in leaked datasets or be exposed through technical vulnerabilities.
While Telegram itself has not experienced a traditional breach in many of these cases, security experts warn that Telegram’s leaked data, scraped records, and privacy flaws can still pose risks to users. Understanding how these incidents happen helps explain why telegram leaks continue to appear in cybersecurity reports and threat intelligence discussions.
This article explains the major Telegram leak incidents, the vulnerabilities and data-exposure risks researchers have identified, and what users should know to protect their privacy.
The 200 Million Record Leak That Shook Telegram’s Foundations
In early 2025, a dataset containing over 200 million Telegram user records surfaced on a well-known data leak forum. The post appeared on January 24 and drew immediate attention from the cybersecurity community, and for good reason. The Telegram leaked dataset, spanning three separate databases labeled “Telegram user data,” “Source platform,” and “Telegram,” totaled 44GB of uncompressed data and included email addresses, phone numbers, and usernames.
Researchers who analyzed a sample of the exposed data found approximately 66 million phone numbers paired with user IDs, along with 10 million additional user records. A deeper look at the full dataset revealed some 60 million likely Telegram records, including collections that exposed 16 billion credentials in total.
Telegram’s official response attempted to downplay the exposure. A company spokesperson claimed the records only revealed user IDs and public usernames, the natural result of contact-importing features rather than a system intrusion. “These records appear to be the result of importing contacts,” the spokesperson told Cybernews, adding that no private data was exposed. But that statement was directly contradicted by the presence of email addresses in the leaked sample, data that is not publicly accessible on Telegram’s platform under normal circumstances.
Researchers remained divided on whether this constituted a new breach or an aggregation of previously scraped data and stolen credentials. What wasn’t in dispute: the exposure of this much contact information creates fertile ground for large-scale phishing campaigns, identity theft, SIM-swapping attacks, and credential stuffing across other platforms.
Understanding the Growing Concern Around Telegram Leaks
In the cybersecurity community, the term telegram leaks refers to instances in which user data from Telegram accounts appears in public databases, hacker forums, or leaked archives.
These incidents may happen for several reasons:
- Data scraping through public contact discovery features
- Aggregated datasets compiled from multiple sources
- Vulnerabilities exposing technical information, such as IP addresses
- Databases shared on cybercrime forums claiming to contain Telegram user records
Because Telegram accounts are tied to phone numbers, even partial data exposures can become valuable for cybercriminals. When a leaked dataset appears online, attackers may use it for phishing campaigns, identity linking, or targeted scams.
As messaging platforms become central to communication, the risks associated with leaked Telegram data incidents continue to grow.
One Click Is All It Takes: The IP Leak Vulnerability
Just as the data leak story was gaining momentum, security researchers disclosed a separate, and arguably more dangerous, flaw in Telegram’s mobile applications. Publicly disclosed on January 10, 2026, by researchers, including one operating under the handle @0x6rss, the vulnerability quickly became known as the “one-click IP leak.”
The mechanics are deceptively simple. Telegram includes a built-in MTProxy system, originally introduced in 2018 to help users in countries with restrictive internet access bypass censorship. When a user taps a proxy configuration link (formatted as t.me/proxy?…), Telegram automatically initiates a test connection to verify the proxy server is online. The critical flaw: this connectivity check occurs before any user confirmation is shown, and it routes directly from the device’s real network interface, bypassing any VPN or SOCKS5 proxy the user might have configured.
The result is that an attacker who controls a fake MTProxy server can log the real IP address of anyone who clicks the link. Because Telegram’s interface allows these proxy links to be disguised as ordinary usernames, a link that appears as @durov in a chat could actually resolve to a malicious proxy URL; victims have no reliable way to detect the trap before clicking.
Researchers compared the mechanism to NTLM hash leaks in Windows environments, where a crafted link triggers an automatic background authentication request that betrays the user’s identity. The parallel is apt: in both cases, a convenience feature designed to streamline user experience silently exposes sensitive network data.
Both Android and iOS clients were confirmed as vulnerable. Proof-of-concept code was published on GitHub shortly after the disclosure, showing that captured IP addresses appeared in real time on the attacker’s server, along with precise timestamps.
For the average user, an exposed IP address might feel abstract. But in practice, it enables geolocation accurate to the neighborhood level, ISP identification, and, in corporate environments, workplace identification. For journalists, activists, or dissidents relying on Telegram to communicate under oppressive regimes, a single click on a disguised link could compromise years of operational security.
Telegram acknowledged the issue when pressed by BleepingComputer, but initially deflected by noting that proxy operators naturally see the IP addresses of people who connect to them. After further questioning, the company committed to adding a warning prompt to proxy links in a future update, a fix that, while helpful, does not address the underlying architectural decision to run the connectivity check before displaying any user-facing confirmation.
The Handala Leak: When Account Compromise Is Mistaken for Device Hacking
A separate but instructive telegram leak episode involved the hacktivist group known as Handala, which claimed to have obtained access to sensitive communications from Israeli targets. The group alleged they had compromised iPhone devices, a headline-grabbing claim that drew significant media attention.
Cybersecurity analysts who examined the technical evidence reached a different conclusion. The leaked data showed signs of Telegram account compromise, not device-level intrusion. This distinction matters enormously. Attackers who gain access to a Telegram account through session hijacking, SIM swapping, or social engineering can read messages, access contacts, and impersonate the account holder. None of that requires breaking into an iPhone.
The episode illustrates a recurring problem in how Telegram leaks are reported and understood: the platform’s perceived association with security often leads both users and media to underestimate how vulnerable accounts themselves are when proper protections aren’t in place. Two-factor authentication, active session monitoring, and caution with linked devices are not optional add-ons; they are fundamental to any meaningful security posture on the platform.
Why Telegram Has Become a High-Value Target
Understanding the frequency and diversity of these leaks requires understanding Telegram’s position in the digital ecosystem. With over 900 million users and a reputation, deserved or not, for privacy and minimal moderation, the platform has attracted an extraordinarily wide range of users: activists, journalists, criminals, businesses, government officials, and ordinary consumers.
That breadth of sensitive users makes it an extraordinarily attractive target. Cybersecurity consulting firm NVISO has gone so far as to recommend that businesses without an essential operational need for the platform consider blocking Telegram’s API entirely, a striking recommendation for an app this widely used.
The platform’s threat surface has also expanded with a notable policy shift: in 2024, Telegram founder Pavel Durov agreed to share user IP addresses and phone numbers with government authorities who submit valid legal requests. For a platform whose identity was partly built on resisting such demands, this represented a significant change, and a reminder that no platform’s privacy promises are unconditional.
How Telegram Data Ends Up in Leak Forums
When cybersecurity researchers track Telegram leaks, they often discover that the data is distributed through underground communities.
Leak forums and hacker marketplaces frequently publish databases labeled as:
- “Telegram user database”
- “Leaked telegram accounts.”
- “Telegram scraped dataset.”
- “Telegram contact dump”
These archives may contain real information, partially accurate data, or even fabricated entries. However, once a dataset is released online, it can spread rapidly across forums and file-sharing networks.
Telegram itself can sometimes become part of the distribution chain. Certain cybercrime communities operate Telegram channels dedicated to sharing leaked databases, stolen credentials, or hacking tools.
This creates an unusual cycle in which Telegram leaks are discussed, shared, and redistributed on the same platform whose data is being exposed.
Threat intelligence analysts monitor these channels to track emerging breaches and identify newly circulating data leaks.
Why Telegram Leaks Are Valuable to Cybercriminals
Messaging platforms contain highly valuable information for attackers.
Even when messages remain encrypted, account-level information such as phone numbers or usernames can be extremely useful.
A telegram leak dataset may allow attackers to:
- Launch targeted phishing campaigns
- Identify users across multiple social platforms.
- Send scam messages directly to victims
- Attempt account takeover attacks
- Map communication networks
For example, if attackers obtain a phone number connected to a Telegram account, they might send fake messages pretending to be support teams, companies, or even friends.
Because Telegram is often used for both personal and professional communication, a successful scam targeting Telegram users can have serious consequences.
How Users Can Protect Themselves From Telegram Leak Risks
The accumulation of telegram leak incidents, from mass data exposure to silent IP disclosure, points toward a set of practical, actionable protections that any Telegram user should implement immediately.
Enable two-factor authentication and use a strong, unique password. This remains the single most effective defense against account takeover, regardless of what data has already leaked.
Be skeptical of every link in Telegram, including ones that appear to be ordinary usernames. Until Telegram’s promised warning prompt is deployed, there is no reliable in-app indicator distinguishing a malicious proxy link from a standard profile reference. Long-pressing links on mobile to preview the raw URL before tapping is a useful habit.
Do not rely solely on Telegram’s built-in proxy for anonymity. The one-click IP leak vulnerability demonstrated that the MTProxy system does not protect your real IP address as many users assumed it would. A device-level VPN routes all application traffic, including Telegram, through an encrypted tunnel, preventing IP exposure even when a proxy link initiates a direct connection.
Check whether your data was included in known breaches. Services like Have I Been Pwned aggregate breach data and can indicate whether your email or phone number has appeared in known datasets.
Review active sessions regularly. Telegram allows users to see all active sessions and connected devices. Unfamiliar sessions should be terminated immediately, and any suspicious account activity should prompt an immediate password change and session revocation.
The Future of Telegram Leaks and Messaging Security
Messaging apps will remain a primary target for attackers as digital communication continues to grow.
Telegram, with its large global user base and strong privacy reputation, will likely continue to feature prominently in cybersecurity research on leaks, data scraping, and account exposure.
However, most incidents involving leaked Telegram data highlight a broader reality of modern cybersecurity: information rarely comes from a single breach.
Instead, attackers assemble data from multiple sources, combining scraped records, leaked databases, and public profiles into massive archives.
For users, the key takeaway is awareness. Even platforms designed for privacy cannot eliminate the possibility of leaked Telegram datasets appearing online.
Understanding how these exposures happen helps users make smarter decisions about what information they share and how they secure their accounts.
Conclusion
The series of telegram leaks, IP exposure vulnerabilities, and account compromises emerging in 2025 and 2026 collectively tell a story about the gap between a platform’s privacy marketing and the operational realities of securing hundreds of millions of accounts. No technology is perfect. But the pattern here, a mass data leak whose authenticity is disputed, an architectural flaw that silently exposes users’ real locations, and a high-profile hack reframed as account compromise rather than device intrusion, suggests that Telegram’s privacy promise requires far more active participation from users than the platform’s reputation implies.
Trust in a messaging platform should be built on transparency, timely patching, and clear communication about what the platform can and cannot protect. Whether Telegram’s response to these disclosures meets that standard is a question each user will need to answer for themselves, ideally before clicking on the next unfamiliar link.
