It's not certain that the Iranian government is behind the attacks. However, the culprits (Rocket Kitten) have launched phishing campaigns that reflect official "interests and activities," according to the researchers. Also, the compromised targets included members of both opposition and reform groups -- and it's safe to say that some of those 15 million phone numbers could expose other activists and journalists.

So far, Telegram is portraying this as more a question of weak user security than a vulnerability. It tells Reuters that you can protect against these attacks by creating a strong password (which is strictly optional) that would add a layer of security. However, it raises a question: why aren't there security measures that could prevent this, such as making passwords mandatory? While this wouldn't solve all of Telegram's issues with Iran (the nation insists that companies store data in the country to facilitate censorship and spying), it would be an important start.