Personal details & phone numbers of 42M Iranians sold on a hacking forum

Iranians, unfortunately, have been hit hard by Coronavirus and the last thing they would like to have is getting their privacy breached.

Iranians, unfortunately, have been hit hard by Coronavirus and the last thing they would like to have is getting their privacy breached. However, it has happened and an individual is selling personal details of 42 million Iranians on a prominent hacking forum.

What happened:

Earlier today, researchers at Comparitech identified a misconfigured database hosted on an Elasticsearch server. After analyzing, it was revealed that the database contained a treasure trove of data belonging to 42 million Iranian citizens. 

According to a blog post by researchers, the database was originally uploaded by a group of Iranian hackers going by the online handle of “Samaneye Shekar” meaning “Hunting system” in English.

Initially, it was established that the data was scrapped by Telegram since it included user account IDs, usernames, hashes, secret keys, and phone numbers. However, now has learned that the data was scrapped from HotGram and Talagram, two Telegram alternatives used in Iran.

Screenshot of the leaked data

On the other hand, Telegram has also confirmed to the researchers that the database came from an unaffiliated app. It is noteworthy that Telegram is an open source app allowing anyone to create their own versions of it. This helps Iranians use Telegram even when it is blocked due to online censorship in the country.

In a conversation with, a security researcher from Under The Breach who analyzed the sample data indicated that the database has been created with the help of scraping, a process in which data is extracted from other websites or servers.

The data only contained information that is obtainable by scraping and nothing to do with internal messaging so I believe it is a scraping operation done by some company in Iran that would then sell it to 3rd parties.

The researcher also revealed that a few days ago, misconfigured databases on Elasticsearch servers were hit by a worm in which, among others, the particular database was deleted as well. However, before the attack, the database was downloaded several times and one of the downloaders is now selling it on a prominent hacking forum whose name won’t be revealed for privacy purposes.

Although it is unclear how many people have already bought the database, when asked if the database could have an impact with regards to the Coronavirus pandemic, the researcher said”

This data can be used to spread fake news, you could create large groups and spread disinformation, though I don’t believe that was the purpose of the scrape, the researcher explained.

Not for the first time:

In September 2016, received an email in which a hacker going by the online handle of “Leader” shared a trove of data containing personal records and phone numbers of 40 million Iranians. The data was stolen from Iranian ISP Daba and belonged to MTN Irancell users.

Nevertheless, Iranians are not new to such data breaches. In April last year, a local ride-hailing app in the country leaked sensitive data of 1 to 2 million drivers in plain-text format – The misconfigured database was hosted on a MongoDB server.

Elasticsearch and misconfigured databases:

Elasticsearch is an open-source search and analytics engine for all types of data and lately home to tons of misconfigured databases. Earlier this month, a cyber security firm leaked 5 billion records it hosted on the Elasticsearch server. These records including login credentials from previous data breaches including Twitter, Tumblr, Adobe, Vk, LinkedIn, and, etc. – No customer data was leaked in the incident.

Just last month, an Israeli company leaked personal data of millions of Americans including their physical address. The database was hosted on an Elasticsearch server as well. In November last year, 4 terabytes of personal records were leaked online – All that without any password. 

In another incident, personal and tax records of 20 million Russians were also leaked online. Last month, another Elasticsearch database was exposed and leaked personal data of millions of Americans from a computer in China.

The list goes on…

Update – 11:24 – Tuesday, 31 March 2020 (BST)

The Head of Computer Emergency Response Team (CERT) in Iran Mr. Amir Nazemy has confirmed that the data breach indeed took place. In a tweet in the Persian language, Mr. Nazemy said that (Tweet Translated with Google Translate),

Expert Center Report: On Dec. 2 we warned of the insecurity of telegram shells. There is, of course, evidence that this information was collected in another way! The alleged site was identified by the name of the hunt hosted by Raspina. The report will be referred to the prosecution for judicial review.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

  1. from where your saying the scrapped data is coming from HotGram and Talagram?

  2. Thank you for this article. As a programmer, I have asked my friends and family for a long time not to use unofficial Telegram builds.
    As a native Persian (Farsi) speaker, I have found some spelling errors in this informative article which are not an issue, but just for the sake of being accurate, the editor (or someone else in charge) may find it noteworthy to correct these words/phrases:

    Samana Shikar, Ameer Nizami, Expert Center, Raspina to be spelled this way, respectively:
    Samaneye Shekar, Amir Nazemy, CERT (more info on, Respina (more info on

  3. Thanks for your interesting writings. I look forward to reading Hack Read.

Comments are closed.

Related Posts