An encrypted messaging app used by 100 million people has been compromised.

Researchers claim that a hacking group called Rocket Kitten has learned the phone numbers of 15 million Telegram users and has, in some cases, used the service’s reliance on text messages to gain total access to those “secure” accounts.

This is the first time a “systematic de-anonymization and classification of people who employ encryption tools (of some sort, at least) for an entire nation” has been revealed, Amnesty International technologist Claudio Guarnieri, who discovered the hack with independent researcher Collin Anderson, told Reuters.

How it Worked:

The hack is said to have worked by intercepting text messages as they were in transit and then using them to add a hacker-controlled device to the account. This would allow the hacker to read the encrypted communications that would otherwise have been nearly impossible for them to compromise with brute force.

More than Just ISIS:

In addition to being a preferred communications tool of ISIS, Telegram is also popular with activists, journalists, and 20 million other people who want to evade the Iranian government’s surveillance programs.

The Same Tech as WhatsApp:

Telegram isn’t the only app that uses SMS for authentication. Signal, a popular encrypted communications app, also uses text messages to verify accounts. So does Facebook’s WhatsApp messaging tool.

It would be trivial for intelligence agencies to intercept these messages to gain access to otherwise secure tools, thanks to previous hacks that allow the NSA and Britain’s GCHQ to secretly decrypt the phone calls and text messages of many cellphone owners.

Many services, from Amazon to Twitter, use text messages to help people secure their accounts. The difference is that those services use text messages as a second authentication factor used in conjunction with a username and password, not a primary login mechanism. This is more secure than a single factor system.

Telegram allows its users to set passwords on their accounts but does not require them to do so. All someone needs to access most accounts is knowledge of their phone number which Rocket Kitten has and the ability to intercept SMS, which could be made easier by the hacking group’s ties to Iran’s government.

Some tools can avoid this problem. When end-to-end encryption rolls out for Facebook Messenger, for example, it will only send encrypted messages to one device instead of making them available on multiple platforms.

But that restriction doesn’t apply to all encrypted communications tools. While it’s still smart to use these apps this is a good reminder that being encrypted isn’t the same as being totally secure.

Guarnieri and Anderson plan to discuss the hack more at Def Con 24 on August 4.