Two privacy stories broke within days of each other in May 2026, and read together they make one quiet point: the data that can hurt you later is the data that gets stored.
First, a dataset claiming to hold details of more than 200 million Telegram accounts — usernames, email addresses, phone numbers, and in some cases partial password data — surfaced on a dark-web forum. Around the same time, researchers documented how Telegram's network layer can leak persistent identifiers that let network operators correlate users without ever breaking the encryption itself.
Then TechCrunch reported a new phishing wave aimed at Signal users: attackers trying to trick people into handing over the recovery key that unlocks their cloud message backups — which can hold years of old chats, photos, and documents.
The common thread: accounts and history are the attack surface
Look at what both attacks actually go after. Not the live end-to-end encryption — that mostly held up. They target the accounts and the stored history sitting around afterwards: the phone number tied to your identity, the address book, the backup full of old messages.
That is the uncomfortable trade every account-based messenger makes. To be convenient — to sync across your devices, to let friends find you, to restore your history on a new phone — it has to keep things. And anything kept is something that can later be leaked, subpoenaed, or phished.
For your day-to-day private messaging, a serious app like Signal is still an excellent choice; it stores famously little and encrypts by default. This is not an argument against it. It is an argument about a different situation that comes up constantly:
You just need to send one private thing to one person, right now, and you would rather it not live anywhere afterwards.
A Wi-Fi password. A home address. A document you are sending to a landlord. A sensitive note to a colleague. For that, you do not need a permanent account at all. You need something that leaves nothing behind.
What a no-account, self-destructing chat does differently
This is exactly the gap our free Secret Chat tool fills. It is deliberately the opposite of an account-based messenger:
- No account, no phone number, no app. There is nothing tying the conversation to your identity, so there is no account database to leak and no recovery key to phish.
-
End-to-end encrypted in your browser. The encryption key is generated on your device and lives in the link's
#fragment — the one part of a URL browsers never send to a server. Our server only ever stores ciphertext it has no key for. - It self-destructs. You pick a timer (from one hour up to a month, or destroy instantly), and the whole conversation — text and files — is deleted when it runs out. What is not stored cannot leak.
- It works for groups too. Share a link, or a Group ID plus passphrase, and several people can join with a name and photo — without anyone signing up for anything.
The principle is the same one the Telegram and Signal incidents keep teaching: the safest message is the one that no longer exists.
How to share something privately right now
If you have a one-off private thing to send, here is a clean way to do it:
- Open Secret Chat and create a room. Choose a short self-destruct timer — an hour is plenty for sharing a password.
- Copy the link and send it to the person through a different channel than the secret itself. The link contains the decryption key, so treat it like a password.
- Say what you need to say. Share the file if you need to.
- Tap Destroy when you are done, or just let the timer delete everything for you.
That is the whole flow. No install, no account, nothing kept.
The takeaway
Breaches and phishing campaigns will keep happening, because storing data is what most apps are built to do. You cannot leak what was never collected, and you cannot phish a backup that does not exist. For the conversations that should simply disappear, reach for a tool that is built to forget — start a secret chat here.
Sources: TechCrunch — hackers targeting Signal backups, reporting on the May 2026 Telegram dataset leak and MTProto network-layer tracking disclosures.
Top comments (1)
The useful point here is the split between transport privacy and stored-history privacy.
A lot of tools can honestly say “encrypted” while still leaving behind the risky parts: account identity, contact graph, recovery flows, old attachments, logs, and backups nobody remembers setting up.
For one-off sensitive stuff, short-lived is often better than “secure but forever.” Same reason I’m wary of email/chat products that focus only on encryption and not enough on retention, export/delete, jurisdiction, and what metadata the provider can still see.