SMS company exposes millions of text messages, credentials online
Researchers have found yet another massive database inadvertently exposed online, leaking millions of records.
This time, it was a database of SMS messages from enterprise texting services provider TrueDialog, and the people that found it claim that the exposure could have compromised tens of millions of people.
Researchers Noam Rotem and Ran Locarat at vpnMentor first found the database on Microsoft’s Azure cloud platform on 26 November 2019. It displayed what they described as a “massive amount of private data”, including tens of millions of SMS text messages. Also in public view were millions of account usernames and passwords, they said.
Founded in 2008, Texas-based TrueDialog provides SMS solutions for businesses, enabling them to send mass texts for marketing purposes, along with sector-specific applications such as student SMS notifications for the education industry.
According to a blog post on the vpnMentor website, the database contained 604 GB of data comprising nearly a billion entries. These included email addresses, usernames, passwords stored in plain text, and some other passwords using base64 encoding (which is a system used to preserve data integrity during transmission, rather than a password protection encryption mechanism).
Aside from the account logins, the researchers also found message content, the full names of recipients and TrueDialog account holders, and phone numbers. They added:
We also found in the database logs of internal system errors as well as many http requests and responses, which means that whoever found it could see the site’s traffic. This could by itself had exposed vulnerabilities [sic].
The leaky system logs could also have given competitors a look at TrueDialog’s backend systems and potentially a way to gain a competitive edge over the company, vpnMentor’s blog post suggested. It also warned that anyone who accessed the data could have taken over user accounts and engaged in corporate espionage by snooping on account holders’ SMS texts or even stealing leads generated by the SMS system.