What to do if Your Telegram Account is Stolen?

Some Telegram users are faced with the fact that their accounts are being accessed by attackers.

Does this mean that Telegram encryption protocols are not safe? How and why do attackers manage to steal user accounts? What to do if scammers have stolen a Telegram account? How to protect your account from being stolen?

We offer you the most complete and detailed guide on how to return a stolen Telegram account and protect it from future thefts.

The most important

If attackers stole your Telegram account, then the future fate of the account depends on how quickly and thoughtfully you react to this. At the same time, the clarity and thoughtfulness of your actions are more important than speed. For example, many users are so scared of account losing that they hastily delete the Telegram application from their mobile device, hoping that this will help them get rid of the scammers. After reading the article, you will understand why this should never be done, and also learn how to behave correctly in a given situation.

Our general recommendations:

  1. Take your time.
  2. Read this article carefully. Read all its points: even those that do not apply to your specific situation.
  3. If you still have questions, contact the Telegram Info English Chat group and ask them to experienced users.

If you think that your account has been stolen, then you need to act in the following sequence:

    1. Make sure that the account has really been stolen.
    2. Deprive the attackers of access to the account.
    3. Protect your account from future thefts.

    If you see that someone you know has been stolen, please do the following:

      1. Tell the victim that their account has been stolen. Try to do this in some other way than Telegram.
      2. Forward them a link to this article.
      3. Be prepared to file a complaint about the stolen account. Please do not do this unless the real owner of the account asks you to do so!

      1. How to understand if your account has been stolen?

      Your account has probably been stolen if you see any of the following signs (or several at once):

      1. You received a message from a Telegram service account about a new successful authorization, but you yourself did not log in to your account on the new device.
      2. Other users receive messages from you in private chats that you did not send. As a rule, these are messages asking to transfer money or follow a link. Note: these messages may not be displayed in your account, since attackers often delete them “for themselves” immediately after sending them.
      3. New groups and channels appear in your chat list by themselves, although in your account settings (“Settings › Privacy › Groups and channels”) no one is allowed to add you to either groups or channels.
      4. Your account name, avatar, or text in the “Bio” column has changed, and you did not change them.
      5. In the list of devices on which you are logged into your account (on a PC – “Settings › Privacy and Security › Active sessions”, in mobile applications – “Settings › Devices”), there are devices that are not yours.
      6. You were unexpectedly kicked out of your account on all devices, and when you try to log back in, you encounter one or another difficulty.

      2. How to kick scammers out of your account?

      It depends on what situation has developed in your account:

      1. You are logged into your account on one of your devices.
      2. You are not logged into your account on any of your devices.

      2.1. Logged into your account

      If you have a device on which you are logged into your account, you need to do the following:

      1. Open the list of devices on which you are logged in: on a PC — “Settings › Privacy and Security › Active sessions”, in mobile applications — “Settings › Devices”.
      2. Click the “Terminate All Other Sessions” button.
      3. Make sure that the application does not show any error message, and other sessions have actually ended.
      4. If you are using a PC with Windows or macOS, then:
        • Log into your account on a mobile device (Android or iPhone).
        • End the session on the PC. This is important: see section 4.2.
      5. Protect your account from future thefts: see section 6.

      If you see the message “Session closure from a new device is unavailable for security reasons when trying to close other sessions. Please use the device you signed in to before or try again in a few hours” when trying to close other sessions, it means you signed in to this app less than 24 hours ago and it is not yet possible to close other sessions.

      It may seem strange, illogical and outrageous, but this is how Telegram works: if you have logged in for less than 24 hours, you cannot end other sessions.

      You may see attackers sending messages with malicious links to your friends and family. You may see Chinese porn channels appearing in your chat list. You may see attackers deleting your chats, leaving your groups, posting cryptocurrency ads in your channels and clearing your Favorites. Your object is not to give away your presence in any way for the first 24 hours after logging in. Until a full day has passed, attackers can kick you out of your account, but you cannot kick them out. So you should sit as quietly as possible and not give away your presence in any way.

      Unfortunately, even in this case, attackers can still easily detect that you are logged in to your account and forcibly end your session. This is covered in section 2.2.2.

      Here’s what you shouldn’t do:

      1. Log out of your account in the hope that this will somehow stop the scammers. It won’t, but on the contrary, it will help them: you will deprive yourself of the old session, and with it the opportunity to kick the scammers out of your account.
      2. Delete the Telegram application from your device. This will also make it easier for the scammers.
      3. Send messages to all your contacts like “Don’t transfer money or follow the link, it wasn’t me, my account was stolen!” before you terminate all other sessions. The scammers will be able to see them, understand that you are in the account, delete your messages, and at the same time kick you out of the account.

      2.2. Account not logged in

      If your account has been stolen and you do not have any devices with a logged in device, then you need to do the following:

      1. Log in to your account.
      2. Stay in it for 24 hours without giving away your presence (see section 2.1).
      3. Terminate the intruders’ sessions.

      If your account has not previously been switched by the Telegram platform to authorization by email, then keep in mind the following:

      1. If you do not have access to a SIM card with a phone number linked to the account, then there is no any chance of restoring access to the account. The Telegram platform will under no circumstances allow a user who cannot receive an authorization code to their Telegram account or to their SIM card to access the account. Neither knowing the 2FA password, nor access to email to reset it, nor willingness to tell one of the Telegram volunteers about the contents of your chat or contact list, nor willingness to send a selfie similar to the account avatar, nor willingness to provide scanned copies of your passport and contract with a mobile operator, nor anything else will help. Telegram does not accept any of this as proof of account ownership: it is only important if you are able to get the code on the SIM card with the number specified in the account settings.
      2. You will be able to log in to your account only from a mobile device, because you will not be able to request a login code in the form of a call or SMS from any other device.

      When you try to log in to your account, you may find yourself in one or more of the following situations in turn:

      1. You will log in to your account immediately.
      2. You will log in to your account, but you will soon be kicked out of it.
      3. The login code will be sent to another device.
      4. The login code will be sent to email you do not own.
      5. The app will ask for a 2FA password that you don’t know.
      6. The app won’t let you into your account because there have been too many attempts.
      7. The app will offer to create a new account.
      8. The app will report that the phone number is banned.

      Let’s look at all these situations in more detail.

      2.2.1. You will immediately be able to receive a one-time code for login and log into your account

      You are lucky. First, go to the section “Settings › Privacy and Security › Active sessions” and check if there are any unknown devices or PC-type devices. If they are not there, then you are doubly lucky: you probably managed to repel the attack of intruders, and now all that remains is to protect your account (see section 6).

      But if there are unknown devices, then it is too early to celebrate victory: in the coming hours, you will not be able to prevent the intruders in any way. This is described in detail in section 2.1.

      2.2.2. You will log in to your account, but after some time you will be kicked out again

      If your account is logged in on the attackers’ device, then as soon as you log in to your account, they will receive a notification about it. If their session has existed for more than 24 hours (and most likely this is the case), then they will be able to easily log you out. In this case, you will have to make a difficult choice:

      1. If saving your account data (chats and contacts) is more important to you than immediately depriving the attackers of access to your account, then you can continue to try to log in. You should not do this too often: Telegram may simply stop sending you codes for login, or even temporarily block login from your device (see section 2.2.6). Perhaps, if you log in to your account late at night, the attackers will not notice your login, although the chances of this are small: usually stolen accounts are not controlled by living people, but by programs, and programs do not sleep. But there is also good news: sometimes the Telegram platform itself notices suspicious activity on the account and forcibly terminates all sessions; if you are lucky, then after some time Telegram will kick the intruders out of your account, and then you will be able to log in without hindrance.
      2. If it is more important for you to deprive the intruders of the ability to send malicious messages to your contacts as quickly as possible, then you should try to delete your account immediately after logging in. When you delete your account, you will permanently lose access to all your chats and contacts, and those groups and channels where you were the owner will remain without an owner for a long time, and maybe forever. In order to delete an account, you must immediately after successful login as quickly as possible (before the intruders end your session):
        • open in the browser (not in the Telegram application, but in the browser – this is important!) the link https://my.telegram.org/deactivate;
        • enter your phone number in the “Your Phone Number” field;
        • receive a message with an authorization code from your Telegram service account, copy the code and enter it in the “Confirmation code” field;
        • make sure that your phone number is actually listed on the next page and click the “Delete My Account” button.

      2.2.3. The login code will be sent to another device

      In this case, you need to click the “Send the code as an SMS” button at the bottom of the screen. If it is not there, wait a few minutes without leaving the login screen, and it will appear. Then there are two possible options:

      1. The application informs you that an SMS message with a code has been sent to you, or that Telegram is calling you to dictate the code. In this case, you need to wait for the SMS or call, receive the code and enter it on the authorization screen. If neither the call nor the SMS is received, then our article “What to Do When Telegram Auth Code Doesn’t Arrive?“.
      2. The application displays the message “If you have not received a call or SMS with a code, check your cellular settings and the number you specified: …” with the buttons “Help”, “Edit number” and “Close”. Such a message means that the Telegram platform for some reason does not want to send the code to the device from which you are trying to log in to your account. Try installing the app on another device or wait a few hours and then try signing in again.

      2.2.4. The login code will be sent to an email address that you don’t own

      This means that the attackers have already managed to specify their email to receive one-time login codes. We wrote about this authorization mechanism in detail in the article “Authorization in Telegram using email” (only in Russian at the moment).

      In this case, you need to click the “Reset email” button, and then make a choice: either wait 7 days for it to reset, or ask one of your friends to give your account a paid Telegram Premium subscription and reset it immediately. Please note: even if you reset your email immediately and log into your account, this does not guarantee that you will be able to immediately get rid of the attackers: see section 2.2.2.

      2.2.5. The application will ask to enter a cloud password, but you do not know it

      This means that either you have forgotten your own cloud password, or the attackers have already managed to change it. In both cases, the “Forgot password?” button will help you: click it and follow the application’s prompts. Note: if the application has not reported that the password reset code has been sent to your email, then you have only one option: completely reset the account in 7 days, deleting all chats and contacts. Please note: after you start the reset procedure, the attackers will be able to change the phone number of the stolen account; in this case, the account will be permanently at their disposal, and you will only have the opportunity to create a new account using your phone number.

      2.2.6. The application will show the message “Too many attempts”

      This means that too many attempts to log in to your account have been made recently (several hours or days), and Telegram has temporarily blocked new attempts. Usually, in this case, it helps to wait a few hours or days, and then try to log in to your account again.

      We do not know whether attackers can prevent you from logging in to your account by constantly making such attempts on their device. If after a few hours you see the same message “Too many attempts” when trying to log in to your account, take a longer break and try again.

      It may also help to install the Telegram application on another mobile device and try to log in to your account from there.

      2.2.7. The application will ask you to enter your first and last name

      Unfortunately, this means that either your old account has been deleted, or the attackers have changed the account’s phone number in its settings.

      In the first case, you can try to recover the account. To do this, you need to send an email to [email protected], indicating your phone number, describing in detail the entire situation with account theft, as well as a request to restore the account and all its data.

      In the second case, unfortunately, there is no chance of restoring access to the account.

      2.2.8. The application will inform you that the phone number is banned

      This may happen if, due to complaints from other users (see section 3), Telegram completely blocks your account. In this case, you need to click the “Help” button under the message about blocking the number, select the configured mail application (if you do not have one, then install and configure it) and send an email to Telegram, the text of which will be generated automatically. No response will come to this letter, but in a few days the blocking may be removed from your phone number, and you will be able to create a new account. Unfortunately, the probability of restoring the old account in this case is extremely small, but it is still possible.

      If after a few days the phone number is still not unblocked, then you can forget about registering an account for this phone number for the next six months.

      3. What can be done to make Telegram ban a stolen account?

      If you are unable to regain access to your account (items 2.2.2 – 2.2.6), and the attackers continue to try to deceive your friends and family, then you can try to block your account. Whether you will be able to regain access to it later is a separate question, but at least the attackers will not be able to take over your contacts’ money.

      We wrote in detail about the ways to do this in the article “How to contact Telegram?” in the “Report Violation” section. Ask your friends who have received fraudulent messages from you to forward them to the service account @notoscam, or write emails to [email protected], describing the entire case with the stealing of your account. The more such messages and letters there are, the greater the chance that Telegram moderators will notice at least one of them and respond to it.

      If the scammers ask you to transfer money to them, you can start a correspondence with them, find out the bank card number, find out which bank issued it, and contact this bank with a complaint about the scammers. This will not help return the Telegram account to its real owner, but it can make life more difficult for the scammers.

      4. How do they steal Telegram accounts?

      There are quite a few ways. Let’s list the most common ones.

      4.1. Social engineering

      The attackers push you to give them all the data they need to log into your account. They can:

      1. Tempt you with a free Telegram Premium subscription, the ability to read other people’s Telegram correspondence, access to classified information such as lists of future conscripts, the prospect of winning a cash prize, and other gifts or bonuses.
      2. Ask you for a favor: for example, vote for a child’s drawing in some competition.
      3. Scare you by saying that if you do not immediately follow the link, your account will be deleted or that all account data will be transferred somewhere without the possibility of recovery.

      Be vigilant: such offers and requests can even come from one of your friends if their account is stolen. If you are asked to go from the Telegram app to a site that is unknown to you, and especially if this site asks you to log in using your Telegram account, then most likely someone is trying to steal your account.

      4.2. Running malicious code on your device

      Attackers may try to trick you into running a malicious application on your personal computer running Windows or macOS (less often on an Android device). Such an application can steal your session and pass it on to the attackers, and log you out of your account. This method is especially oftenly used against owners of large channels: the owner is sent an archive that allegedly contains materials related to the purchase of advertising on his channel; the victim extracts the contents of the archive to his PC, opens the file and immediately loses access to his account.

      An important feature of this theft method is that the attackers do not have to wait 24 hours before they can end other sessions, change the account phone number and perform any other actions that are usually unavailable immediately after logging into the account. The fact is that with this theft method, a new session is not created, but the old one is copied, so the Telegram server trusts the copy as well as the original.

      Please note: if a session was stolen from your PC, in some cases you will not see that the attackers have access to your account, since their session will be disguised as one of yours. This is why we recommend terminating not only sessions from unfamiliar devices, but all sessions in general, except the current one.

      4.3. Issuing a duplicate SIM card

      In some cases, attackers can fraudulently obtain a second SIM card with your number from your mobile operator and then accept the authorization code on it. This method is used extremely rarely and usually only in relation to public figures – for example, politicians. In addition, having such a SIM card will not help in any way to steal an account protected by a cloud password.

      5. So Telegram is not as secure as they claim?

      5.1. Why is it so easy to steal an account? Isn’t the data encrypted?

      The encryption protocols used in Telegram are quite secure: at least, no one has managed to hack them yet. The weak link that makes theft possible is usually the user themselves: attackers almost always gain access to an account because the user clicks on an unsafe link or runs an unsafe file.

      5.2. But I protected my account with two-step authentication! How did the scammers know my cloud password?

      In some account theft scenarios, they don’t need to know your cloud password to access your account. For example, when stealing a session from a Windows or macOS PC (see section 4.2)

      5.3. I don’t think my Telegram account is stolen, but strange things are still happening there.

      Sometimes users see that the list of devices only shows mobile devices that are guaranteed not to belong to attackers, but the account still looks as stolen (for example, contacts receive messages with malicious links). This is a fairly rare situation, but it still happens that attackers gain access not to your Telegram account, and not even to your Telegram application, but to your entire device.

      This situation is very unpleasant. Firstly, in this case, the scammers also have access to your incoming calls and SMS messages, which means they will be able to see the authorization codes that Telegram will send you. Secondly, they probably also have access to the mail application (which means they control incoming emails, for example, with authorization codes or codes for resetting the cloud password), as well as to banking applications (which means they can cause more serious damage than just stealing your Telegram account). And finally, thirdly, it can be quite difficult for users to believe that everything that is on their phone has fallen into the hands of intruders and is available to them right now.

      However, theoretically it is possible, and some users become victims of exactly this kind of global hack. It is difficult to give specific recommendations on how to clear the device of applications that allow fraudsters to gain such extensive access to the device. In this situation, it is necessary to turn off the device as quickly as possible and change the passwords in all services that were logged in on it (including passwords saved in the browser), and then check the hacked device.

      6. How to protect your account from theft?

        To reduce the risk of account theft to a minimum, follow these rules:

        6.1. Online security

        1. Don’t follow suspicious links. How do you know if a link is suspicious? It’s simple: if you’ve asked yourself this question, it means the link is suspicious: it’s better to be paranoid than a victim.
        2. Don’t run suspicious files on your devices. How do you know if a file is suspicious? See the previous point.

        6.2. Device security

        1. Don’t leave your devices unattended: this allows attackers to spy on their screens for notifications with authorization codes.
        2. Don’t install apps from unofficial stores or other untrusted sources: not only Telegram apps, but any other apps.
        3. Don’t Jailbreak your iPhone or try to root your Android device: despite some benefits, these operations reduce the overall security of your data.
        4. Regularly scan your devices with an antivirus, using updated antivirus databases. Especially PCs running MS Windows, but Androids won’t hurt either.
        5. If you lose a device on which you are logged into your Telegram account, end the session of the stolen device from another one as soon as possible.
        6. Remember to log out of your Telegram account before selling the device (for example, a phone) or before giving it to other users (for example, a work laptop).

        6.3. Account security

        1. Never share your one-time codes for logging into your account or your cloud password with anyone.
        2. Protect your account with a 2FA password in the section “Settings › Privacy and Security › Cloud password”. We also recommend that you specify an email address for resetting the password in case you forget it. However, this somewhat reduces the security of the account, because attackers can also access your email, so the decision is up to you.
        3. Protect all your Telegram apps with a passcode in the “Settings › Privacy and Security” section. This will not only make it more difficult for scammers to access your account and notifications with authorization codes, but will also encrypt all account data on your PC disk.
        4. Carefully read all notifications that you receive from all official Telegram accounts, and especially from the +42777 account. This account notifies users about attempts to log into their accounts, sends authorization codes, informs about enabling or disabling a cloud password, and provides other important information that directly concerns user security.

        7. Why can’t Telegram support help me get my account back?

          Many users are surprised and indignant that official Telegram support doesn’t help get back stolen accounts. However, there is a reasonable explanation for this.

          1. When creating an account, users do not provide the platform with any information about themselves except for their phone number. Therefore, no matter how the user tries to confirm their identity later, it will not help in any way: Telegram employees simply have nothing to compare the data that the real owner can provide with.
          2. Telegram does not have an office in any country and no channels for interaction with local companies, for example, with mobile operators. Therefore, even if you own your phone number for 15 years and have a contract with a mobile operator that confirms this, Telegram employees are not able to verify this: you can only send these documents to Telegram in electronic form, and forging electronic documents is not difficult.
          3. Telegram cannot restrict a user’s account, block it, or even terminate all active sessions on request received on behalf of another user. Because Telegram employees have no way to verify that the attacker is managing the account and the real owner is asking to punish him for it, and not the other way around.