SMS confirmation messages on account creation were supposed to make things more secure, ended up making them less secure, because the phone company gave them to the state.
As far as the SMS vulnerability goes, Anderson and Guarnieri said it lies in the use of text messages to activate new devices. When logging into a new device, Telegram sends authorization codes via SMS.
Those are the messages reportedly intercepted. According to the researchers, the phone company might have intercepted the codes and shared them with hackers: a danger in any country wherein carriers are owned or heavily influenced by the government.
Once the attackers had the codes, they could add new devices to a target’s Telegram account and read both new messages and chat histories.