Millions of text messages leaked through exposed TrueDialog server

Database of 604GB included unencrypted passwords and the contents of SMS messages

A trove of highly sensitive data of more than a billion entries was exposed through an unsecured database run by a US-based enterprise communications firm.

More than 604GB of data, including usernames and plaintext passwords as well as personally identifiable information, was exposed after SMS messaging service provider TrueDialog failed to properly secure its database, researchers claim.

The data, which was publicly accessible using a URL search, included login details and the full contents of SMS messages, which often included other sensitive information like phone numbers, email addresses and the dates and times messages are sent.

Discovered as part of vpnMentor's web mapping project, the unsecured and unencrypted database exposed the details of potentially tens of millions of TrueDialog users and customers, which left many vulnerable to cyber attack.

The database also contained technical logs that showed how the database is structured and managed, as well as logs of internal system errors and many HTTP requests and responses, which could have exposed further vulnerabilities.

"This was a huge discovery, with a massive amount of private data exposed, including tens of millions of SMS text messages," said the research team, led by security experts Noam Rotem and Ran Locar. 

"Aside from private text messages, our team discovered millions of account usernames and passwords, PII data of TrueDialog users and their customers, and much more." 

"By not securing their database properly, TrueDialog compromised the security and privacy of millions of people across the USA."

The leak was discovered on 26 November and reported to the communications firm two days later once their ownership of the database was verified. TrueDialog closed the database a day later.

The data is hosted on a Microsoft Azure server and runs on the Oracle Marketing Cloud in the US.

The impact of this data leak can have a lasting impression for tens of millions of people, the research team added, with no telling whether the data was accessed by third parties.

Scammers can use the information to conduct fraud and identity theft, for example, as well as phishing scams online or by targeting people through phone calls. Blackmail is also a big risk, with cyber criminals able to glean private and potentially compromising material from plaintext SMS message content.

Industrial espionage is another potential issue, with the leak making it possible for a user's competitor to learn about marketing campaigns, roll out dates for new products, or even product design and specs, among many other areas.

Related Resource

Understanding the must-haves of modern data protection

Go beyond traditional backup and recovery

Download now

The vpnMentor team suggested the leak could have been prevented if TrueDialog "had taken some basic security measures" including securing the servers in the first place, implementing proper access rules, and not leaving a system that required no authentication open to the internet.

"Our team was able to access this database because it was completely unsecured and unencrypted," they continued.

"The company uses an Elasticsearch database, which is ordinarily not designed for URL use. However, we were able to access it via browser and manipulate the URL search criteria into exposing the database schemata. 

"The purpose of this web mapping project is to help make the internet safer for all users. As ethical hackers, we're obliged to inform a company when we discover flaws in their online security. This is especially true when the companies data breach contains such private information."

Exposed databases have been identified as the source of various leaks and breaches in recent times across both small and large companies. 

Biometric information including registered fingerprints belonging to one million people was exposed earlier this year, for example, when the Biostar 2 database was accidentally made unprotected.

In September, meanwhile, the personal data on every Ecuadorian citizen was leaked online through an exposed AWS server.

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Leading the data race

The trends driving the future of data science

Download now

How to create 1:1 customer experiences at scale

Meet the technology capable of delivering the personalisation your customers crave

Download now

How to achieve daily SAP releases

Accelerate the pace of SAP change to support your digital strategy

Download now

Most Popular

Unilever adopts Google Cloud’s complex data processing for conservation drive
big data analytics

Unilever adopts Google Cloud’s complex data processing for conservation drive

22 Sep 2020
16 ways to speed up your laptop

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop

16 ways to speed up your laptop

16 Sep 2020