I want to highlight a Telegram account recovery design issue that can result in permanent account takeover after phishing.

If an attacker obtains an active Telegram Web/Desktop session (e.g. via social engineering), the legitimate phone number owner may be unable to reclaim the account even after regaining access and enabling two-step verification (2FA).

The core problem is that critical security actions (session termination, account deletion, confirmation of changes) are confirmed inside Telegram itself, not via an out-of-band channel such as SMS.

As a result: - the attacker’s older active session remains authoritative - the legitimate user’s new sessions can be immediately terminated - enabling 2FA does not invalidate existing sessions - even account deletion may be impossible if confirmation codes are delivered only to the attacker-controlled session

This creates a permanent lockout scenario where: phone number ownership + in-Telegram verification + newly enabled 2FA are insufficient to recover the account.

This is not about phishing being a bug. The issue is the lack of a recovery mechanism that prioritizes verified phone number ownership over existing sessions.

I’ve filed a detailed report with Telegram: https://bugs.telegram.org/c/58477

Curious whether others have encountered similar recovery dead-ends, and how this compares to recovery models used by other messaging platforms.

Happened to me, exactly as described by OP.

- All new sessions are terminated within couple of minutes by hijacked one.

- You can't terminate the hijacked session with a new session. New sessions have to wait 24 hours to gain this authority (which of course never happens).

- Each time new session gets terminated, you can't login into Telegram for 24 hours.

- The only way to recover your ownership is to delete your account within 2 minute of getting new session working.

The link is broken, but the OP is definitely posting AI slop, so I believe this could very likely be a hallucination.

Yeah, I have some bad news about that huge bug bounty you're expecting... ChatGPT was wrong, and there is no way to close the HackerNews account you just created, so all the abuse that deservedly comes your way will, in fact, be on your permanent record.