I terminated the session but the hacker is still in my account. Why?

Most likely the malware that stole your session is still on your computer and re-stole the new session the moment you logged back in, or you terminated your own session by mistake because the attacker's looked identical. Clean the device first, then terminate.

Telegram will not let me terminate other sessions. Is it broken?

No. Telegram blocks any session younger than 24 hours from removing other sessions. If you just logged in, you are inside that window. Use an older session if you have one, or go through account recovery.

Does two-factor authentication stop a stolen session?

No. 2FA protects new logins. A stolen desktop session is a copy of a login you already completed, so 2FA never gets a chance to challenge it.

Will changing my password log the hacker out?

By itself, not reliably, and not if the device is still infected. Change the password as part of the full sequence: get off the infected device, clean it, then change the password and terminate sessions.

Is enabling Local Passcode enough to protect me?

It helps and you should enable it, but it is off by default, desktop only, and only protects your session while Telegram is locked. It is prevention, not a response to a theft that already happened.

Guide · Account takeover

Why terminating your Telegram sessions does not log the hacker out

If your Telegram was taken over through a stolen session, hitting Terminate usually does not remove the attacker. Three things defeat it: a stolen session looks identical to yours so you cannot tell which to end, Telegram blocks any session under 24 hours old from removing other sessions, and if the malware that stole your session is still on your computer it simply steals the new one. Terminating treats the symptom, not the cause.

By Danial, Co-founder, Sessions·Published June 29, 2026

What actually happened when your account was taken over

Most people picture a hack as someone guessing a password or phishing a login code. The takeovers that are hardest to shake are different. On Telegram Desktop, your authenticated session lives in a folder called tdata. That folder holds the cryptographic credential that proves you are you. It is what keeps you logged in so you do not retype a code every time you open the app.

Commodity infostealer malware, the kind delivered through a fake job interview, a booby-trapped meeting app, or a cracked download, copies that folder. No password is needed. No login code is needed. Two-factor authentication does not stop it, because 2FA gates new logins and a copied session is not a new login. It is your existing, already-trusted session, cloned. The attacker drops your tdata into their own Telegram Desktop and they are inside, as you.

This is why Telegram never shows you a new-login-from-an-unknown-device warning for this attack. From the server's point of view, it is the same authorization you already had. There is nothing new to warn you about.

Trap 1: you cannot tell which session to terminate

Open Telegram, go to Settings, then Devices or Active Sessions. You see a list of logged-in sessions, and the instinct is to find the stranger and terminate it.

The problem is that a cloned session does not announce itself as a stranger. It carries the same credential your real session does, and an attacker can run a build of Telegram Desktop that reports the same client details. The device name and app fields are attacker-controlled text, not verified facts. So the list that is supposed to help you tell friend from foe shows you two doors that look the same. Terminate the wrong one and you have logged yourself out while the attacker stays in.

Trap 2: the 24-hour rule locks you out exactly when you need in

Here is the detail buried in every recovery listicle. Telegram does not allow a session less than 24 hours old to terminate other sessions. This is a real anti-abuse rule, and in a takeover it works against the victim.

Picture the common sequence. You realize something is wrong. You log in fresh on your phone to take control. That fresh session is now minutes old, so Telegram will not let it remove anything. For the next 24 hours, the attacker's older session has more power over your account than your own brand-new one does. People read this as the terminate button being broken. It is not broken. You are inside a rule that assumes the older session is the trustworthy one.

This single fact is the most decision-relevant thing about a Telegram takeover, and it is almost never stated plainly. If you can still open Telegram on a session older than 24 hours, you can act now. If you cannot, you are in a race or a recovery, and the steps are different.

Trap 3: reinfection makes terminating pointless

Say you get past the first two traps and you successfully terminate the attacker's session. If the infostealer that took your session is still running on your computer, you have won nothing. The moment you log back in and Telegram writes a fresh session to disk, the same malware copies it and the attacker re-imports it. They are back in seconds, and it feels like the hacker keeps coming back no matter what you do.

They keep coming back because terminating a session removes a token, not the thief. The thief is a process still living on your machine. Until the device is cleaned, every login you create is just fresh material for the next theft.

So what actually works

The order matters. Doing these out of order is why people stay stuck.

	What to do	Why it comes here
1	Get off the compromised device. Manage the account from a phone or a different, clean computer.	Anything you do from the infected machine can be re-stolen immediately.
2	Clean or fully reset the original computer (malware scan, or wipe).	This removes the thief. Skipping it is why terminating fails.
3	Change your Telegram cloud password (2FA) and set a recovery email if you have none.	Cuts off the attacker's ability to lock you out, once the device is clean.
4	From a session older than 24 hours, terminate all other sessions. If you cannot, you are in the 24-hour window: wait it out or use account recovery.	Now terminating actually sticks, because the thief is gone.
5	Turn on Telegram Desktop Local Passcode so a future session copy is encrypted at rest.	Prevention for next time. See the honest caveat below.

The honest truth about just turning on Local Passcode

You will read everywhere, including from large antivirus brands, that the fix for this attack is to enable Telegram Desktop's Local Passcode, which encrypts the session folder on disk. That is genuinely good advice and you should do it. But sold as the answer, it quietly oversells.

It is off by default, and almost nobody turns it on. Every takeover in the news happened to someone who did not have it enabled. As population-level advice, it has already failed for the people who needed it.
It only protects the folder while Telegram is locked and at rest. While you are actually using Telegram, the session is unlocked and live, which is exactly the state many stealers grab it in.
It is desktop only. It does nothing for a cloned mobile session.
It is prevention, not detection. If the theft already happened, a passcode you can now set gives you nothing. You still need something that notices the stolen session being used and ends it.

A deadbolt you forgot to lock, on one of your two doors, is not a security strategy. It is one good habit. You also need an alarm for the intruder who is already inside.

How Sessions handles this

Sessions is a non-custodial guard that watches your Telegram for the fingerprints a stolen session leaves: a second live session driving your account at the same time as you, a sudden jump between distant places that no real person could make, a different client identity taking the wheel. When it sees a real takeover signature, it ends the attacker's session in real time, not after you happen to notice and start fighting the three traps above by hand. It cannot read your messages and it cannot move your funds, and you can verify the code that runs it.

We built it because terminating by hand is a fight the victim usually loses. The next piece shows exactly how fast that fight moves: we watched an attacker replay a stolen session in 140 milliseconds.

Frequently asked questions

I terminated the session but the hacker is still in my account. Why?: Most likely the malware that stole your session is still on your computer and re-stole the new session the moment you logged back in, or you terminated your own session by mistake because the attacker's looked identical. Clean the device first, then terminate.
Telegram will not let me terminate other sessions. Is it broken?: No. Telegram blocks any session younger than 24 hours from removing other sessions. If you just logged in, you are inside that window. Use an older session if you have one, or go through account recovery.
Does two-factor authentication stop a stolen session?: No. 2FA protects new logins. A stolen desktop session is a copy of a login you already completed, so 2FA never gets a chance to challenge it.
Will changing my password log the hacker out?: By itself, not reliably, and not if the device is still infected. Change the password as part of the full sequence: get off the infected device, clean it, then change the password and terminate sessions.
Is enabling Local Passcode enough to protect me?: It helps and you should enable it, but it is off by default, desktop only, and only protects your session while Telegram is locked. It is prevention, not a response to a theft that already happened.

Keep reading

Stop a takeover before it starts.

Sessions watches your Telegram around the clock and removes any session that isn’t you, automatically. Open, hardware-attested, and yours to revoke.

Guard my Telegram