Mark Loveless, Senior Security Researcher at Duo Labs:
“Reports suggest that the Telegram accounts in Iran were compromised through what appears to be coordination between attackers and cellphone companies, and taking advantage of the fact that SMS is used to add new devices to existing Telegram accounts. While this implies cooperation by the cellphone companies, this cooperation is often not required. Attackers have been known to social engineer cellphone companies to get the same level of “coordination” or use other more technical means to compromise SMS, leaving all applications that use security measures involving SMS to be vulnerable. This is exactly why NIST recommends against using SMS as a part of 2FA (Two Factor Authentication), and why we always encourage our customers to use the cryptographically secure Duo Push for 2FA.
This is still not an excuse for using a weak or even no password at all on Telegram accounts. Reducing one of your two factors for authentication reveals any weaknesses in the other factor. Always use strong and unique passwords on all accounts – but especially in cases where it is being used to protect secure communications. This also includes email accounts that are used for password recovery.”