Account takeover
Your Telegram got hacked: exactly what to do in the first hour
First, figure out one thing: can you still open Telegram? If yes, you have minutes to race the attacker, so set a 2FA password, end the foreign sessions, and clean your device. If you are locked out, your only real path is Telegram's official recovery, which has a built-in waiting period. Warn your contacts either way.
If your Telegram just got taken over, your hands are probably shaking and your feed is filling with messages you did not send. Breathe. The next hour matters, but panic makes it worse. This is a calm, branching plan written for exactly this moment.
Everything below splits on one question, so answer it first.
The only question that matters right now: can you still open Telegram?
Open the app or Telegram Desktop and try to reach your own chats and Settings.
- If your chats load and Settings opens, you still have access. Go to Path A: you are still in. You are racing the attacker, and you can probably win.
- If you are logged out, your code never arrives, or it says your number is not registered, you are locked out. Go to Path B: you are locked out.
Do not skip this. The two paths share almost nothing, and doing Path B steps while you still have access wastes the few minutes that actually save the account.
One thing to understand before you start. If the attacker stole a live session (the most common crypto-targeted attack, usually by lifting your Telegram Desktop tdata folder with malware), Telegram sent you no new-login warning, because to Telegram nothing new logged in. The attacker is replaying a session you already approved. Imperva documented that copying the tdata folder to another machine grants full access with no phone number and no 2FA code required (Imperva, 2025). So the absence of an alert means nothing. Trust what you are seeing in your account, not your notifications.
Path A: you are still in (race the attacker)
You have a head start. Use it in this order.
1. Get off the infected device first. If a stolen session is the vector, the malware that took it is still running and will re-steal anything you do next. Do these steps from a clean phone or a different computer if you possibly can. If you only have the infected machine, still act, but treat it as compromised the entire time.
2. Set a Two-Step Verification password (cloud password). Settings, Privacy and Security, Two-Step Verification, and set a password plus a recovery email you control. Be honest with yourself about what this does: 2FA does not kick out a session that is already logged in. A thief replaying your existing session sailed past 2FA before you ever set it. What 2FA does is stop the attacker from locking you out by claiming the account on a fresh device. It is a lock on the front door, not an eviction notice for someone already inside.
3. End every session that is not yours. Settings, Devices (or Active Sessions), then Terminate all other sessions, or terminate the unfamiliar ones one by one. Two traps here:
- A stolen session can look identical to yours (same app, similar location), so you may not be able to tell which to end. When unsure, terminate all others and re-log your own devices.
- Telegram blocks any session younger than 24 hours from terminating other sessions. If you just logged in to do this, you may be inside that window and the button silently does nothing. This is the cruel part: the moment you most need to act, you can be locked out of acting. We wrote a whole piece on why this happens in why terminating your Telegram sessions does not work.
4. Clean the device, then change the password. If malware is the cause, terminating without cleaning is a revolving door: the attacker's session dies, you log back in, the malware lifts the new session, and you are owned again within minutes. Run a reputable scan, or wipe and reinstall if you handle real crypto value. Only after the device is clean should you change your Telegram password and re-terminate. Order matters.
5. Check what they changed. Look at your linked email, phone number, username, and active 2FA. Attackers often try to swap your recovery email to lock you out next. Revert anything you can.
The honest summary of Path A: you can win this race, but only if you treat the device as the real wound and the session as the symptom.
Path B: you are locked out (recovery is your only path)
If the attacker already changed your number, email, and password, the fast moves are gone, and this is the hardest truth in this article: only Telegram can recover the account, and there is no shortcut.
- Go to the official support form at telegram.org/support (or in-app, Settings, Ask a Question). Explain that your account was hacked and your email was changed. Include your phone number with country code.
- Telegram enforces a multi-day waiting period before an account can be reset for security reasons, and support does not offer real-time or phone help. Replies can take days. This is frustrating and it is also the same mechanism protecting you from the attacker doing the reverse.
- Your phone number is your identity to Telegram. The single most useful thing you can do is regain reliable control of that number through your mobile carrier, because verification codes route there.
There is no legitimate way to bypass this. Which leads to the warning that protects you from losing more.
Do not get scammed twice
The moment people realize they are hacked, a second wave of predators arrives. They DM you or reply to your panicked post offering to "recover" your account for a fee, sometimes posing as Telegram support, sometimes as a "white-hat" or "recovery specialist."
No third party can recover a hacked Telegram account. No one can bypass Telegram's number-bound verification. Anyone promising it is running the second scam, and paying them just adds a financial loss to an account loss. Telegram's only real support is the official channel above, initiated by you, and it never asks for your login code or cloud password in a DM. If a private account asks for either, it is fraud, full stop.
Warn your contacts now (copy-paste template)
A hijacked Telegram account is a weapon aimed at the people who trust you. CYFIRMA's February 2026 research on Telegram session-hijacking campaigns found that compromised accounts are immediately used to phish the victim's own contacts, exploiting that trust to spread (CYFIRMA, Feb 2026). Your friends are about to get a message from "you" asking for crypto or a loan.
Post this on every channel you still control (X, Discord, email, a backup Telegram, a group chat):
Heads up: my Telegram account was hacked. If you get any message from me on Telegram asking for money, crypto, a code, or a "favor," it is NOT me. Do not send anything, do not click links, do not share any login code. I am working on recovery. I will confirm here when I am back in control.
Thirty seconds of warning can stop a friend from wiring money to a stranger. Send it before you finish recovery, not after.
Why we built Sessions
Here is the gap we kept seeing in every hacked-Telegram story. By the time a victim opens Settings, the attacker has been inside for hours, has already messaged contacts, and the 24-hour rule is blocking the one button that would help. The damage happens in the silent window between the theft and the human noticing.
Sessions closes that window. It is a non-custodial guard that watches your Telegram for a hijacked or replayed session and an unrecognized login, and ends the attacker's session the moment it sees it, without waiting for you to notice. It runs in an attested AWS Nitro enclave, so it cannot read your messages or move your funds, the code is open-source and verifiable, and you can revoke it any time. We are deliberate about what it is not: it is prevention and fast response, not recovery. If you are already locked out, only Telegram can bring the account back. Sessions exists so you do not get to that point.
If you want the deep technical version of how a stolen session gets replayed and what a victim can and cannot detect, read we watched an attacker replay a stolen Telegram session in 140 milliseconds.
You are going to get through this hour. Pick your path, move in order, and do not let the second scammer take what the first one missed.
Frequently asked questions
- My Telegram is hacked and the email and phone number were changed. Can I still get it back?
- Possibly, but only through Telegram's official recovery, and not quickly. Submit the form at telegram.org/support, state the account was hacked and the email was changed, and include your phone number with country code. Telegram enforces a multi-day waiting period and support replies can take days. The most useful thing you can do is regain reliable control of your phone number through your carrier, since verification codes route there. No third party can do this faster, and anyone claiming they can is a scammer.
- I never shared a code. How did they get in?
- You probably did not need to share anything. The common crypto-targeted attack is session theft: malware copies your Telegram Desktop tdata folder, which contains your already-authorized session, and the attacker replays it from their own machine. No password, no code, and no new-login alert, because to Telegram nothing new logged in. A separate campaign tricks people into approving a fake authorization prompt or QR scan. In both cases the attacker rides a login you already approved.
- Will turning on 2FA kick the hacker out?
- No. Two-Step Verification does not remove a session that is already logged in, and a thief replaying your existing session got in before 2FA ever applied. Set it anyway, because it stops the attacker from locking you out on a fresh device and adds a barrier going forward. But to actually remove them you must end the foreign sessions and, critically, clean the device that leaked the session in the first place.
- I terminated all sessions but the hacker came right back. Why?
- Almost always because the malware that stole your session is still on your computer. The moment you log back in, it lifts the new session and the attacker returns within minutes. Terminating treats the symptom; the device is the wound. Get off the infected machine, clean it or wipe and reinstall, then change your password and terminate again. Also check you did not accidentally end your own session, since a stolen one can look identical.
- Telegram will not let me terminate other sessions. Is it broken?
- No. Telegram blocks any session younger than 24 hours from terminating other sessions. If you just logged in to deal with the hack, you are inside that window and the button does nothing. Use an older existing session if you have one on another device, or go through official account recovery. This 24-hour rule is exactly why fast manual response so often fails at the worst moment.
- Someone DMed me offering to recover my hacked account. Should I pay them?
- No. This is the second scam, and it specifically targets people who just got hacked. No third party can bypass Telegram's number-bound verification, so no one can recover your account for a fee. Real Telegram support is the official channel you initiate yourself, and it never asks for your login code or cloud password in a direct message. If anyone asks for either, it is fraud. Paying just adds a money loss to an account loss.
Keep reading
Stop a takeover before it starts.
Sessions watches your Telegram around the clock and removes any session that isn’t you, automatically. Open, hardware-attested, and yours to revoke.