In a service that is supposedly secure, it certainly is very fishy when hackers are able to compromise its API and gain access to secured content.

Although Telegram prides itself in being ultra-secure, in a twist of fate, the private messaging service is finding itself on the short end of the rope as hackers have found an exploitable vulnerability.

According to security researchers, a hacking group from Iran appears to have breached several Telegram accounts. Furthermore, in a development that with more material consequences for Telegram’s user-base, 15 million phone numbers of its users have been exposed.

The hackers supposedly eavesdropped and cracked the authentication code of Telegram’s SMS service and used it to add devices to their accounts, read the SMSs and impersonate users.

In order to access the phone number they exploited weaknesses in Telegram’s API.

The hack has been attributed to the Government of Iran and according to the security experts the phishing campaigns that were launched from the compromised accounts reflect official “interests and activities”. The targets whose accounts were compromised include members of the reform group as well as those in the opposition.

Although so far Telegram has portrayed the hack as a matter of weak user-level security and not having systemic value – not a vulnerability, the question is if the fix were as simple as creating stronger passwords, why isn’t this measure mandatory in a service whose very purpose of being is to facilitate secure messaging?