#Privacy: Millions of SMS messages leaked due to unprotected database

An unprotected database has resulted in a massive data leak impacting tens of millions of Americans.

Security researchers at vpnMentor, Noam Rotem and Ran Loar, discovered that the database belonged to TrueDialog, a business SMS provider for businesses and higher education institutions whereby bulk text messages can be sent.

Researchers discovered that the unprotected database, hosted by Microsoft Azure, was not password protected. The lack of protection led to the expoure 604 GB of data, including nearly a billion entries of sensitive data. 

“It’s difficult to put the size of this data leak into context. Tens of millions of people were potentially exposed in a number of ways. It’s rare for one database to contain such a huge volume of information that’s also incredibly varied,” said vpnMentor. 

“The database contained entries that were related to many aspects of TrueDialog’s business model. The company itself was exposed, along with its client base, and the customers of those clients.”

The data leak compromised full names of message recipients, TrueDialog account holders and users; email addresses; phone numbers of both recipients and account users; dates and times messages were sent; and message status indicators.

In addition clear-text and decryptable base64-encoded account log-ins for TrueDialog clients were exposed. This could potentially allow threat actors to conduct account takeover attacks, as well as identity fraud and phishing.

The database was discovered on November 26; TrueDialog were notified about the incident two days later, before the database was pulled offline.

Kelly White, CEO of RiskREcon told Infosecurity Magazine, said:

“It’s so important for companies to extend their ability to safeguard data across the networks of any third or fourth party with whom they interact, which means asking questions like whether service providers have taken the necessary precautions to keep sensitive data under lock and key. That includes using cloud storage that isn’t internet-facing in order to reduce unnecessary exposure.”

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.