VoIP provider leaves huge database exposed online
A researcher has discovered an exposed database containing gigabytes of call logs, SMS data, and internal system credentials belonging to US Voice-over-IP (VoIP) service provider VOIPo.com.
It’s become a familiar story – a researcher trawls Shodan for something left out in the open that shouldn’t have been and is amazed at what they find.
This time the finder was Cloudflare’s Justin Paine, who on 8 January used this technique to spot an unsecured (i.e. not password protected) Elasticsearch server containing nearly 15 million documents.
This included what appear to be customer logs dating back to July 2018, and SMS/MMS logs (including time and message content) dating back to December 2015. A sample SMS published by Paine appears to be a marketing message:
Phat Panda Platinum series has arrived!! Perfect way to bring in the New Year!
Most phone numbers were partially redacted, but those in SMS logs were full numbers.
Separately, news site Tech News looked at the data and found credentials for customer login pages, which is why anyone who uses VOIPo should change their passwords as a precaution.