Millions of text messages leaked through exposed TrueDialog server
- par Xavier Trudeau
- dans Financer
- — Déc 3, 2019
A database housing millions of private SMS text messages was left open online for an extended period of time, a team of researchers at the online privacy company vpnMentor said Sunday.
Because the exposed data included over 10 million SMS messages sent via TrueDialog, and a technical log, which describes how the database is structured and managed, VPNMentor researchers claim that threat actors could use the information to help wage attacks against both businesses and their customers.
TrueDialog provides SMS solutions to businesses and higher education institutions by allowing such organizations to not only communicate with their customers via SMS, but also allowing those customers to text the business back directly. "We disclosed our findings and offered our expertise in helping them close the data leak and ensure nobody was exposed to risk", the researchers said. But since the server was left unprotected without a password on the internet, none of the data was secured, and anyone could look inside.
The leak was discovered on 26 November and reported to the communications firm two days later once their ownership of the database was verified.
"The goal of this web mapping project is to help make the internet safer for all users". If malicious intruders accessed the database, they could have used some of the information for phishing scams and fraud. "Tens of millions of people were potentially exposed in a number of ways". The database contained information about university finance applications, marketing messages from businesses with discount codes, and job alerts, among other things.
As well as text messages sent to end users, the database contained details on TrueDialog's business model, along with its client base and the customers of those clients. One table alone had tens of millions of messages, many of which were message recipients trying to opt-out of receiving text messages. Wright also did not answer any of our questions - including whether the company would inform customers of the security lapse and if he plans to inform regulators, such as state attorneys general, per state data breach notification laws.
For example, user data could be sold to spammers and marketers.