Secure messaging app Telegram suffered its largest known hack in its brief history, which occurred in Iran, according to Reuters.

Researchers said hackers comprised more than a dozen Telegram accounts and identified the phone numbers of 15 million Iranian users.

The attacks occurred earlier this year but have only now come to light, thanks to cyber specialist Collin Anderson and Amnesty International technology expert Claudio Guarnieri, who have been researching hacking in Iran for the past three years.

The vulnerability of Telegram, which is used by about 20 million people in Iran, comes from the use of SMS in signing up new customers. When they log on from a new device, Telegram sends an authorisation code to users via SMS.

Potentially, this message can be intercepted by the mobile operator carrying it, and then shared with hackers. Then the hacker could add new devices to an individual’s Telegram account, enabling the hacker to read a customer’s old, as well as fresh, chats.

Hence, the argument is Telegram will always be vulnerable in countries where the state either owns a local operator or has influence over any of them.

However, there is a defence against such an attack, said Telegram in a response. The trick is not to rely just on SMS verification. The app allows users to create passwords, and they can also opt to set up a password recovery email.

“If you have a strong Telegram password and your recovery email is secure, there’s nothing an attacker can do,” said a Telegram spokesman.

The Telegram hackers are thought to be part of a group called Rocket Kitten, whose modus operandi bears a resemblance to the Iranian security forces.

News of the attacks follows reports that the Iranian authorities have given app makers 12 months to move users’ data to servers in Iran. The state is working on a National Internet Project, with the notion of building a “local” network that houses data within the country’s borders.