80 million records exposed in SMS spam operation

ApexSMS suffers data breach exposing the records of 80 million people.

Discovered by security researcher Bob Diachenko, ApexSMS, an SMS text marketing company has suffered a data breach exposing the personally identifiable information of more than 80 million people which was then submitted on an unsecured database. 

The exposed database contained 80 million records which included people’s names, locations, phone numbers and IP addresses, as well as mobile numbers and their network.

Very little is known about the company ApexSMS other than it relies on ‘Mobile Drop’, a cloud based SMS platform. Mobile Drip simply allows users to send pre-written messages in bulk. Upon further investigation Diachenko identified that ApexSMS is also the same name of an SMS Bombing program.

Diachenko defines SMS Bombing as:

“A software program that duplicates the same message multiple times or rotates different messages and sends all the messages to a number of your choice.”

SMS Bombing can be used for marketing products or services, as well as for harassment.

An estimated 38 million messages had been sent through disposable toll-free phone numbers, of which 2.1 million victims clicked on the link in the message. The  database  kept track of those who clicked on the links, which then led victims to scam sites. Their credentials were scraped and then submitted to the ApexSMS’ spam database. The database also recorded when victims replied, with more than 115,000 people responding to the spam texts.

Mobile Drip denied any connection to ApexSMS stating:

“We take compliance and data security very seriously, and we are currently investigating to determine to what extent our information has been exposed to unauthorized parties. We have currently engaged an outside legal firm to assist with our investigation of this matter and we are also engaging a cyber security firm to perform a security audit.

“Our servers have always been password protection, so any information that may have been acquired was done so through illegal means with the goal of harming the reputation and financial success of the business.”

Diachenko said:

“This incident raises the issue once again that data security can affect legitimate businesses and what many would consider ‘gray marketing’ at best.”


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/