Telegram tdata Files Used for Credential Harvesting in New Honeypot Findings
What Happened — Researchers operating a public honeypot observed attackers uploading Telegram “tdata” directories to compromised servers. The tdata files contain encrypted session information that can be decrypted to reveal linked Telegram accounts, which were then leveraged to harvest credentials for SaaS services, cloud platforms, and internal tools. The activity extends beyond the typical cryptojacking payloads previously associated with Telegram‑based abuse.
Why It Matters for TPRM —
- Credential‑harvesting vectors that originate from third‑party messaging platforms bypass traditional email‑phishing defenses.
- Compromised Telegram sessions can provide attackers with reusable authentication tokens, amplifying the blast radius across multiple vendors.
- The technique demonstrates a supply‑chain style risk where a widely‑used consumer app becomes a conduit for enterprise credential theft.
Who Is Affected — SaaS providers, cloud‑hosting services, MSPs, and any organization that allows employees to authenticate to internal tools via Telegram‑linked accounts.
Recommended Actions —
- Review and restrict the use of Telegram for business authentication; enforce MFA and token revocation.
- Conduct a credential‑reuse audit to identify accounts that share passwords across services accessed via Telegram.
- Update third‑party risk questionnaires to include questions about messaging‑app session handling and storage.
Technical Notes — Attackers harvested the tdata directory, decrypted it using known Telegram libraries, extracted session keys, and then used the active sessions to request password‑reset links from target services. No public CVE is associated; the vector relies on insecure storage of Telegram data on compromised hosts. Source: SANS Internet Storm Center