Cyber Incident Victim: Raychat
Date:
Jan 2021
Location:
Iran
Summary
Raychat, an Iranian business and social messaging platform, suffered a significant data exposure involving its entire database containing over 267 million accounts. Compromised information included names, email addresses, passwords, metadata, and encrypted chat contents, with indications of duplicate user accounts and automated bot entries within the dataset. The exposed database was subsequently destroyed by a bot attack, and the company did not publicly respond to the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 31, 2021, cybersecurity researcher Bob Diachenko publicly disclosed via Twitter that Raychat, an Iranian business and social messaging platform, had exposed its entire database containing over 267 million user accounts. The unprotected database included names, email addresses, passwords, metadata, and encrypted chat content. Diachenko’s initial analysis revealed the exposed "users" collection contained 267,278,794 records, with indications that many entries represented duplicate accounts created by the same users alongside automated bot accounts generated through Raychat’s service operations. The researcher noted the database subsequently became inaccessible due to destruction caused by a bot attack, though the exact relationship between the exposure and this destructive event remained unclear from available reports. No official acknowledgment or response was issued by Raychat (@Raychat_io) regarding the breach or the database’s compromise at the time of disclosure.
The incident exposed highly sensitive personal information, including credentials that could facilitate account takeover attempts and metadata potentially revealing communication patterns. While chat contents were encrypted, the compromise of password data created risks of credential-stuffing attacks against users who reused passwords across services. The destruction of the database by automated bot activity introduced additional operational disruption beyond the initial data exposure, though the extent of data exfiltration prior to destruction was not verifiable from public sources. The lack of organizational response left affected users without confirmation about mitigation measures or notification regarding potential misuse of their information. With 267 million records impacted, the breach represented one of the largest data exposures involving an Iranian technology platform disclosed during this period. The incident underscored persistent vulnerabilities in database security configurations across global digital services.