Millions of text messages leaked through exposed TrueDialog server

Database of 604GB included unencrypted passwords and the contents of SMS messages

A trove of highly sensitive data of more than a billion entries was exposed through an unsecured database run by a US-based enterprise communications firm.

More than 604GB of data, including usernames and plaintext passwords as well as personally identifiable information, was exposed after SMS messaging service provider TrueDialog failed to properly secure its database, researchers claim.

The data, which was publicly accessible using a URL search, included login details and the full contents of SMS messages, which often included other sensitive information like phone numbers, email addresses and the dates and times messages are sent.

Discovered as part of vpnMentor's web mapping project, the unsecured and unencrypted database exposed the details of potentially tens of millions of TrueDialog users and customers, which left many vulnerable to cyber attack.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The database also contained technical logs that showed how the database is structured and managed, as well as logs of internal system errors and many HTTP requests and responses, which could have exposed further vulnerabilities.

"This was a huge discovery, with a massive amount of private data exposed, including tens of millions of SMS text messages," said the research team, led by security experts Noam Rotem and Ran Locar. 

"Aside from private text messages, our team discovered millions of account usernames and passwords, PII data of TrueDialog users and their customers, and much more." 

"By not securing their database properly, TrueDialog compromised the security and privacy of millions of people across the USA."

The leak was discovered on 26 November and reported to the communications firm two days later once their ownership of the database was verified. TrueDialog closed the database a day later.

The data is hosted on a Microsoft Azure server and runs on the Oracle Marketing Cloud in the US.

Advertisement - Article continues below

The impact of this data leak can have a lasting impression for tens of millions of people, the research team added, with no telling whether the data was accessed by third parties.

Scammers can use the information to conduct fraud and identity theft, for example, as well as phishing scams online or by targeting people through phone calls. Blackmail is also a big risk, with cyber criminals able to glean private and potentially compromising material from plaintext SMS message content.

Industrial espionage is another potential issue, with the leak making it possible for a user's competitor to learn about marketing campaigns, roll out dates for new products, or even product design and specs, among many other areas.

Related Resource

Understanding the must-haves of modern data protection

Go beyond traditional backup and recovery

Download now

The vpnMentor team suggested the leak could have been prevented if TrueDialog "had taken some basic security measures" including securing the servers in the first place, implementing proper access rules, and not leaving a system that required no authentication open to the internet.

Advertisement
Advertisement - Article continues below

"Our team was able to access this database because it was completely unsecured and unencrypted," they continued.

"The company uses an Elasticsearch database, which is ordinarily not designed for URL use. However, we were able to access it via browser and manipulate the URL search criteria into exposing the database schemata. 

Advertisement - Article continues below

"The purpose of this web mapping project is to help make the internet safer for all users. As ethical hackers, we're obliged to inform a company when we discover flaws in their online security. This is especially true when the companies data breach contains such private information."

Exposed databases have been identified as the source of various leaks and breaches in recent times across both small and large companies. 

Biometric information including registered fingerprints belonging to one million people was exposed earlier this year, for example, when the Biostar 2 database was accidentally made unprotected.

In September, meanwhile, the personal data on every Ecuadorian citizen was leaked online through an exposed AWS server.

Featured Resources

Transform the operator experience with enhanced automation & analytics

Bring networking into the digital era

Download now

Artificially intelligent data centres

How the C-Suite is embracing continuous change to drive value

Download now

Deliver secure automated multicloud for containers with Red Hat and Juniper

Learn how to get started with the multicloud enabler from Red Hat and Juniper

Download now

Get the best out of your workforce

7 steps to unleashing their true potential with robotic process automation

Download now
Advertisement

Most Popular

Visit/security/vulnerability/354309/patch-issued-for-critical-windows-bug
vulnerability

Patch issued for critical Windows bug

11 Dec 2019
Visit/hardware/354193/buy-it-to-grow-not-slow-your-business
Sponsored

Buy IT to grow, not slow, your business

25 Nov 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/business-strategy/recruitment/354296/life-ends-at-40-in-the-tech-industry
recruitment

Life ends at 40 in the tech industry

9 Dec 2019