Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jul 15, 2026 · 6 min read

Sobchak's Telegram Hijacked Through Her Email Account

Around 2 p.m. on July 8, 2026, attackers broke into Russian journalist Ksenia Sobchak's email account and used it to seize two Telegram channels with a combined 1.5 million subscribers, posting screenshots they claimed were her private correspondence with Kremlin officials.

Sobchak's team got the channels back roughly three hours later. The messages the hackers left behind did not. Once a hacktivist group calling itself Black Mirror had control of the "Sobchak" and "Bloody Lady" channels, it didn't need to breach Telegram at all. It needed one password reset email, sitting in an inbox it already owned.

Key Takeaways

  • Hackers breached Ksenia Sobchak's email account on July 8, 2026, and used that access to briefly seize two Telegram channels, "Sobchak" (372,000 subscribers) and "Bloody Lady" (1.14 million subscribers), a combined audience of roughly 1.5 million, per The Record.
  • The hacktivist group Black Mirror claimed responsibility and said it holds a 350 gigabyte archive of Sobchak's correspondence spanning 2015 to 2026, which it is offering for sale.
  • Sobchak's staff regained control of both channels about three hours after the breach, but not before attackers posted screenshots alleging she coordinated coverage decisions with Russian officials, including chief culture censor Sergei Novikov.
  • Sobchak told the independent outlet Agentstvo the leaked correspondence was fabricated, and both The Record and Meduza reported the incident without independently verifying the messages' authenticity.
  • The case mirrors an April 2026 Committee to Protect Journalists report in which spear phishing against Egyptian and Lebanese journalists targeted their Apple, Microsoft, and Google accounts as the entry point for broader surveillance.
A journalist's dark desk at night with a smartphone showing a blurred messaging app beside a laptop open to an email login screen, lit by a warm desk lamp

What Happened to Sobchak's Accounts?

Attackers compromised Ksenia Sobchak's email account and rode that access straight into two Telegram channels run by her media holding. Per The Record's reporting, Sobchak said the intrusion started with her email, not with Telegram's own login system. Her holding, which also runs the news channels "Ostorozhno Novosti" and "Ostorozhno Moskva," warned followers that anything posted on the compromised channels after 2 p.m. that day wasn't from the real team and urged people not to click any links. Staff reported the channels back under their control roughly three hours later, a detail confirmed by Meduza's initial coverage.

In that window, attackers posted purported screenshots of exchanges between Sobchak and Sergei Novikov, a Kremlin official overseeing cultural censorship, discussing whether to run footage of drone strikes on Moscow, fuel shortages, and military conscription stories. A separate batch named Andriy Yermak, former head of Ukraine's presidential office, in messages dated to March 2022.

Who Is Black Mirror, and What Are They Claiming?

Black Mirror is a pro Ukrainian hacktivist collective active since at least 2019, marketing archives of data it says it stole from people connected to the Russian state, including files it previously attributed to former defense minister Sergei Shoigu and the late Wagner chief Yevgeny Prigozhin. A separate anonymous account, VChK-OGPU, released what it described as voice messages from the same cache, and Meduza's follow up reporting detailed what the screenshots allegedly showed.

In Sobchak's case, Black Mirror says it holds roughly 350 gigabytes of her correspondence covering 2015 through 2026 and is offering it for sale. Neither The Record nor Meduza could independently verify the leaked screenshots, and Sobchak told Agentstvo the material was fabricated. What isn't in dispute is the access point: an email account, not a Telegram exploit, is what put the hackers inside her channels.

How Does an Email Breach Become a Telegram Takeover?

An email breach becomes a Telegram takeover through account recovery. Telegram lets an owner log in on a new device with a phone number and an SMS or call code, but if two step verification is on, the account also needs a recovery password, and Telegram emails a reset link to the address on file when that password is forgotten. Neither The Record nor Meduza published the exact technical chain attackers used against Sobchak's channels, and we won't speculate beyond what was reported. The pattern that is consistent with public reporting: whoever controls the inbox tied to an account can usually reset or bypass whatever sits in front of it.

That pattern isn't unique to Telegram. Our earlier coverage of Russian hackers hijacking Signal accounts through linked devices documented a different technical route into a different app, but the same weakness: a messaging account is only as secure as the recovery channels wired up behind it, and email sits behind nearly all of them.

Why This Is an Email Story, Not Just a Telegram Story

Coverage of the incident has focused mostly on the leaked messages and the political fallout in Russian media circles. The more durable lesson sits one layer down. For a journalist, an email account isn't just where mail lives, it's the recovery mechanism for every other account tied to that address: Telegram, Signal, banking, cloud storage, source communication tools. Compromise the inbox and an attacker doesn't need to defeat those platforms directly, they just need each one to reset a password and let the email account vouch for them.

That's why generic account advice, use a strong password, don't click suspicious links, undersells the real risk facing reporters. If email is the weak point, hardening Telegram itself does little. The inbox has to be the priority, a theme we've also covered in cases involving government spyware alerts appearing directly inside Gmail, where the notification is often the first sign a journalist's inbox has already drawn state level attention.

How Can Journalists Protect Their Accounts?

Journalists can cut off the email to messaging app pivot with a few concrete changes.

  • Move to a hardware security key. A physical key such as a YubiKey resists phishing in a way SMS codes and app based one time passwords don't, since the key checks it's talking to the real login page before authenticating at all.
  • Use a dedicated, separate recovery email. An address that isn't publicly known and isn't tied to any other account removes the single point of failure that let attackers cascade from Sobchak's inbox into her channels.
  • Set a Telegram two step verification password, and lock down the recovery email behind it. The cloud password blocks a bare SIM swap or SMS intercept, but only if the recovery address behind it isn't the account that just got breached.
  • Audit active sessions weekly. Both Gmail and Telegram list every device and location logged into an account. A five minute check for unfamiliar sessions catches quiet access before it turns into a public leak.

These steps echo guidance we laid out after Russian state hackers were caught bypassing Gmail's two step verification using app passwords rather than cracking MFA directly. Account takeovers rarely defeat security features head on, they route around whatever secondary channel was left unguarded.

What to Watch Next

Sobchak's case isn't isolated. In April 2026, the Committee to Protect Journalists reported spear phishing against Egyptian journalists Mostafa Al-A'sar and Ahmed Tantawy and an unnamed Lebanese journalist, aimed at their Apple, Microsoft, and Google accounts. Access Now researcher Mohammed Al-Maskati told CPJ the targeting pattern pointed to likely government involvement. Three months later, a different journalist and a different set of attackers produced the same story: the email account went first, and everything else followed.

Whether or not the correspondence attributed to Sobchak is genuine, the access method behind it has now been demonstrated twice this year against journalists in very different countries. For reporters weighing which security investment to make first, that repetition is the real signal, not the content of any single leak.

Stop Email Tracking in Gmail

An email compromise is rarely the end of an attack, it's the entry point. Protecting the inbox that every other account depends on comes first.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.