Millions of text messages leaked through exposed TrueDialog server

Database of 604GB included unencrypted passwords and the contents of SMS messages

A trove of highly sensitive data of more than a billion entries was exposed through an unsecured database run by a US-based enterprise communications firm.

More than 604GB of data, including usernames and plaintext passwords as well as personally identifiable information, was exposed after SMS messaging service provider TrueDialog failed to properly secure its database, researchers claim.

The data, which was publicly accessible using a URL search, included login details and the full contents of SMS messages, which often included other sensitive information like phone numbers, email addresses and the dates and times messages are sent.

Discovered as part of vpnMentor's web mapping project, the unsecured and unencrypted database exposed the details of potentially tens of millions of TrueDialog users and customers, which left many vulnerable to cyber attack.

Advertisement - Article continues below
Advertisement - Article continues below

The database also contained technical logs that showed how the database is structured and managed, as well as logs of internal system errors and many HTTP requests and responses, which could have exposed further vulnerabilities.

"This was a huge discovery, with a massive amount of private data exposed, including tens of millions of SMS text messages," said the research team, led by security experts Noam Rotem and Ran Locar. 

"Aside from private text messages, our team discovered millions of account usernames and passwords, PII data of TrueDialog users and their customers, and much more." 

"By not securing their database properly, TrueDialog compromised the security and privacy of millions of people across the USA."

The leak was discovered on 26 November and reported to the communications firm two days later once their ownership of the database was verified. TrueDialog closed the database a day later.

The data is hosted on a Microsoft Azure server and runs on the Oracle Marketing Cloud in the US.

Advertisement - Article continues below

The impact of this data leak can have a lasting impression for tens of millions of people, the research team added, with no telling whether the data was accessed by third parties.

Scammers can use the information to conduct fraud and identity theft, for example, as well as phishing scams online or by targeting people through phone calls. Blackmail is also a big risk, with cyber criminals able to glean private and potentially compromising material from plaintext SMS message content.

Industrial espionage is another potential issue, with the leak making it possible for a user's competitor to learn about marketing campaigns, roll out dates for new products, or even product design and specs, among many other areas.

Related Resource

Understanding the must-haves of modern data protection

Go beyond traditional backup and recovery

Download now

The vpnMentor team suggested the leak could have been prevented if TrueDialog "had taken some basic security measures" including securing the servers in the first place, implementing proper access rules, and not leaving a system that required no authentication open to the internet.

Advertisement - Article continues below

"Our team was able to access this database because it was completely unsecured and unencrypted," they continued.

"The company uses an Elasticsearch database, which is ordinarily not designed for URL use. However, we were able to access it via browser and manipulate the URL search criteria into exposing the database schemata. 

Advertisement - Article continues below

"The purpose of this web mapping project is to help make the internet safer for all users. As ethical hackers, we're obliged to inform a company when we discover flaws in their online security. This is especially true when the companies data breach contains such private information."

Exposed databases have been identified as the source of various leaks and breaches in recent times across both small and large companies. 

Biometric information including registered fingerprints belonging to one million people was exposed earlier this year, for example, when the Biostar 2 database was accidentally made unprotected.

In September, meanwhile, the personal data on every Ecuadorian citizen was leaked online through an exposed AWS server.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now

Most Popular

operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020

Windows 10 and the tools for agile working

20 Jan 2020
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020