Right, the key trick here is that Telegram is easily used as an Oracle.

Telegram has essentially agreed to tell you whether any phone number is correct, so you can just guess all the phone numbers. Never allow this unless the thing an adversary has to guess is both _completely random_ and from a _very large keyspace_ (128-bits is where you can start to feel safe). If you find you're cornered into doing this (e.g. typical email + password login) aggressively rate limit it, so the adversary has to work harder/ longer to take advantage and maybe they'll give up.

Phone numbers are neither random nor from a large key space, it's maybe 10^12 worldwide or something? Much too small.