The Handala hack reportedly compromised Telegram accounts of Israeli officials through session hijacking and social engineering.

[Khushal]

Content source

https://www.kelacyber.com/blog/handala-hack-telegram-breach-israeli-officials/

Handala targeted Israeli officials by compromising Telegram accounts - not devices - likely through session hijacking and social engineering . The incident exposes critical vulnerabilities in session management, requiring stronger defenses like Multi-Factor Authentication .

Handala Hack: Telegram Breach of Israeli Officials

How were Israeli officials compromised? KELA analyzes Handala's MO: social engineering, OTP harvesting, and Telegram Desktop session hijacking

www.kelacyber.com

 

[Bot]

Handala targeted Israeli officials by compromising Telegram accounts - not devices - likely through session hijacking and social engineering . The incident exposes critical vulnerabilities in session management, requiring stronger defenses like Multi-Factor Authentication .

View attachment 294267

Handala Hack: Telegram Breach of Israeli Officials

How were Israeli officials compromised? KELA analyzes Handala's MO: social engineering, OTP harvesting, and Telegram Desktop session hijacking

www.kelacyber.com

What you’re describing is a very common (and often underestimated) failure mode for messaging apps: account/session takeover rather than “full device hack.” In KELA’s write-up (updated January 1, 2026), their assessment is that the leaked material most likely came from unauthorized Telegram account access, not complete phone compromise — and that the attackers likely used a mix of social engineering + session/OTP abuse paths. ([kelacyber.com](https://www.kelacyber.com/blog/handala-hack-telegram-breach-israeli-officials/?utm_source=openai))

Why this matters (sessions beat “device security”)

• Telegram is designed for multi-device use, so a new authenticated session can expose chats/contacts without rooting/jailbreaking anything.
• KELA specifically calls out vectors like OTP harvesting (including voicemail/voice-call angles), phishing pages/QR login tricks, and Telegram Desktop session theft via the “tdata” folder (copying it can recreate an already-authorized session elsewhere). ([kelacyber.com](https://www.kelacyber.com/blog/handala-hack-telegram-breach-israeli-officials/?utm_source=openai))

What defenses actually help (and their limits)

• Enable Telegram Two-Step Verification (Telegram’s “cloud password”). Telegram states this adds a password requirement when logging in on a new device, in addition to the code. ([telegram.org](https://telegram.org/blog/sessions-and-2-step-verification))
• Audit and kill sessions quickly: Telegram provides an “Active Sessions” screen showing logged-in devices and IP info so you can close suspicious sessions. ([telegram.org](https://telegram.org/blog/sessions-and-2-step-verification))
• Reduce reliance on SMS codes: Telegram added Passkeys for login “without SMS codes,” stored on the device and usable with biometrics/PIN. ([telegram.org](https://telegram.org/blog/passkeys-and-gift-offers))
• Harden the endpoints that hold sessions (especially Telegram Desktop): if an attacker can steal session material (e.g., tdata), “MFA” at login time may not help because they’re replaying an existing authorized session. (This is a general session-token reality, and it aligns with KELA’s tdata discussion.) ([kelacyber.com](https://www.kelacyber.com/blog/handala-hack-telegram-breach-israeli-officials/?utm_source=openai))

Practical hardening checklist (high-value targets/orgs)

• Immediately: Settings → Privacy & Security → Active Sessions → terminate anything unknown; consider terminating all other sessions if compromise is suspected. ([telegram.org](https://telegram.org/blog/sessions-and-2-step-verification))
• Account protection: enable Two-Step Verification + recovery email; consider enabling Passkeys where available. ([telegram.org](https://telegram.org/blog/sessions-and-2-step-verification))
• Telephony controls: set a strong voicemail PIN, add carrier “port-out/SIM swap” protections, and avoid sharing OTPs with anyone (including “support” claims).
• Desktop/backup hygiene: treat Telegram Desktop data/session material as sensitive; avoid syncing Telegram data folders into cloud drives/backups; lock down workstations (full-disk encryption + strong OS auth).
• Threat-model the content type: Telegram cloud chats are stored on Telegram servers (to enable multi-device sync). For higher-sensitivity 1:1 conversations, Secret Chats use end-to-end encryption and aren’t stored on Telegram servers. ([telegramapp.github.io](https://telegramapp.github.io/privacy.html?utm_source=openai))

Bottom line: this incident is a good reminder that for modern messengers, session management and account recovery paths (SMS/voicemail/support impersonation/desktop sessions) are often the real weakest link—so defenses have to focus there, not only on “is the phone hacked.”

 

[Divergent]

Recommendations

To defend against the specific vectors used in this campaign (Session Hijacking and OTP Phishing), the following controls are mandatory.

Critical

Enable Cloud Password (2FA)

Telegram's default SMS verification is insufficient against SIM swapping or OTP interception. You must enable the "Cloud Password" (Two-Step Verification).

Go to Settings > Privacy and Security.

Select Two-Step Verification (or "Cloud Password").

Set a strong, unique password and a recovery email.

Note
Even if an attacker steals your tdata session file or OTP, they cannot login on a new device without this password.

Audit Active Sessions

Regularly flush unauthorized or old sessions to kill hijacked tokens.

Go to Settings > Devices.

Review the list of "Active Sessions."

If you see an unknown device (or an old session from a computer you no longer use), tap Terminate Session.

Hardening Desktop Usage
Since the tdata folder is a primary target:

Avoid Telegram Desktop on Unmanaged Devices: Do not log into Telegram on shared or public computers.

Turn off "Keep me signed in"

If possible, log out of the desktop client when not in use to invalidate the session token on disk.

EDR/AV Monitoring

Ensure Endpoint Detection and Response tools are configured to flag unauthorized access or exfiltration of %APPDATA%\Telegram Desktop\tdata.

References

MITRE ATT&CK T1550.002: Use of Stolen Session Tokens (Session Hijacking)

MITRE ATT&CK T1566: Phishing