Millions of text messages leaked through exposed TrueDialog server

Database of 604GB included unencrypted passwords and the contents of SMS messages

A trove of highly sensitive data of more than a billion entries was exposed through an unsecured database run by a US-based enterprise communications firm.

More than 604GB of data, including usernames and plaintext passwords as well as personally identifiable information, was exposed after SMS messaging service provider TrueDialog failed to properly secure its database, researchers claim.

The data, which was publicly accessible using a URL search, included login details and the full contents of SMS messages, which often included other sensitive information like phone numbers, email addresses and the dates and times messages are sent.

Discovered as part of vpnMentor's web mapping project, the unsecured and unencrypted database exposed the details of potentially tens of millions of TrueDialog users and customers, which left many vulnerable to cyber attack.

The database also contained technical logs that showed how the database is structured and managed, as well as logs of internal system errors and many HTTP requests and responses, which could have exposed further vulnerabilities.

"This was a huge discovery, with a massive amount of private data exposed, including tens of millions of SMS text messages," said the research team, led by security experts Noam Rotem and Ran Locar. 

"Aside from private text messages, our team discovered millions of account usernames and passwords, PII data of TrueDialog users and their customers, and much more." 

"By not securing their database properly, TrueDialog compromised the security and privacy of millions of people across the USA."

The leak was discovered on 26 November and reported to the communications firm two days later once their ownership of the database was verified. TrueDialog closed the database a day later.

The data is hosted on a Microsoft Azure server and runs on the Oracle Marketing Cloud in the US.

The impact of this data leak can have a lasting impression for tens of millions of people, the research team added, with no telling whether the data was accessed by third parties.

Scammers can use the information to conduct fraud and identity theft, for example, as well as phishing scams online or by targeting people through phone calls. Blackmail is also a big risk, with cyber criminals able to glean private and potentially compromising material from plaintext SMS message content.

Industrial espionage is another potential issue, with the leak making it possible for a user's competitor to learn about marketing campaigns, roll out dates for new products, or even product design and specs, among many other areas.

Related Resource

Understanding the must-haves of modern data protection

Go beyond traditional backup and recovery

Download now

The vpnMentor team suggested the leak could have been prevented if TrueDialog "had taken some basic security measures" including securing the servers in the first place, implementing proper access rules, and not leaving a system that required no authentication open to the internet.

"Our team was able to access this database because it was completely unsecured and unencrypted," they continued.

"The company uses an Elasticsearch database, which is ordinarily not designed for URL use. However, we were able to access it via browser and manipulate the URL search criteria into exposing the database schemata. 

"The purpose of this web mapping project is to help make the internet safer for all users. As ethical hackers, we're obliged to inform a company when we discover flaws in their online security. This is especially true when the companies data breach contains such private information."

Exposed databases have been identified as the source of various leaks and breaches in recent times across both small and large companies. 

Biometric information including registered fingerprints belonging to one million people was exposed earlier this year, for example, when the Biostar 2 database was accidentally made unprotected.

In September, meanwhile, the personal data on every Ecuadorian citizen was leaked online through an exposed AWS server.

Featured Resources

Defeating ransomware with unified security from WatchGuard

How SMBs can defend against the onslaught of ransomware attacks

Free download

The IT expert’s guide to AI and content management

How artificial intelligence and machine learning could be critical to your business

Free download

The path to CX excellence

Four stages to thrive in the experience economy

Free download

Becoming an experience-based business

Your blueprint for a strong digital foundation

Free download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Apple patches zero-day flaw abused by infamous NSO exploit
exploits

Apple patches zero-day flaw abused by infamous NSO exploit

14 Sep 2021
Google takes down map showing homes of 111,000 Guntrader customers
data breaches

Google takes down map showing homes of 111,000 Guntrader customers

2 Sep 2021