What Danger am I Inviting if I Store Telegram User IDs Unhashed/Unencrypted in a Database?

I am working on a bot that echoes the latest YT video title of a specific Youtube Channel to its users. However, it will only echo the video title only if it contains at least one of the user's inputted keywords. To ensure all users will receive the info at the roughly the same time, the bot has a global timer set to every hour.

For instance:

• User A, User B, and User C have different saved keywords, but they have "Deep learning" in common. Let's assume they are all under the same timezone. User A set his keywords at 1:20 PM, User B set his at 1:30 PM, and User C set hers at 1:55 PM
• The global timer was set at 10:00 AM every hour, so they will all receive a message of the video title at 2:00 PM if the title contains "Deep learning"

Currently, I am storing the Chat_ID (which is the same as User_ID because the bot is for private chat) and a string Keywords in the database. For security, I encrypted the keywords to prevent the potential mapping of user behavior. In other words, every other column except for the Chat_ID is encrypted. My concern presents itself as the title of this post. Since Chat_ID is unique, I am using it to index my database. If I were to hash it, I would lose the ability of quick lookups if the user ever wishes to update his/her current list of keywords.

So: what danger am I inviting if I store telegram user IDs unhashed/unencrypted in a database? I currently am unaware of the potential harm a bad actor might do if he/she were to acquire them

I did not foresee myself with this problem, so I initially hashed the Chat_ID/User_ID. I could generate a column specifically designed for indexing (PK and autoincrement), but what purpose does it serve if I cannot perform quick lookups with it?

I am using Python 3.12, Read more, Sqlite3

Answer

Storing Telegram chat Id's unencrypted in your bot's database isn't inherently dangerous, as these IDs are not secret and only allow message sending if the user has interacted with your bot. However, they are still unique and static identifiers, so if your database is compromised, a bad actor could potentially map users to interests (if they can decrypt the keywords👨🏾‍💻👨🏾‍💻) or attempt spam/phishing if they can find a way to reach those users. Although the risk is relatively low for small, private bots, chat Id's should still be treated as personally identifiable information, and access to the database should be tightly secured. A good compromise is to use an auto-increment primary key for indexing while storing them in plaintext with proper access controls, encryption for sensitive fields (like keywords), and regular security audits. Overcomplicating with hashed chat Id's and lookup tables is unnecessary unless you're building for high-security environments.