From Telegram Blog:
Some media reported on a “massive” hacker attack on Telegram in Iran.
Here’s what really happened:
Telegram accounts
Certain people checked whether some Iranian numbers were registered on Telegram and were able to confirm this for 15 million accounts. As a result, only publicly available data was collected and the accounts themselves were not accessed. Such mass checks are no longer possible since we introduced some limitations into our API this year.
However, since Telegram is based on phone contacts, any party can potentially check whether a phone number is registered in the system. This is also true for any other contact-based messaging app (WhatsApp, Messenger, etc.).
SMS codes
As for the reports that several accounts were accessed earlier this year by intercepting SMS-verification codes, this is hardly a new threat as we’ve been increasingly warning our users in certain countries about it. Last year we introduced 2-Step Verification specifically to defend users in such situations.
If you have reasons to think that your mobile carrier is intercepting your SMS codes, use 2-Step Verification to protect your account with a password. If you do that, there’s nothing an attacker can do.