Data Leak May Affect Tens of Million, VPNMentor Reports
Researchers uncovered an unsecured database belonging to TrueDialog, an Austin, Texas-based business SMS texting solutions provider, which exposed data on millions, including text messages, names, addresses and other information, according to a report by VPNMentor researchers.
VPNMentor says “tens of millions of people were potentially exposed in a number of ways” as a result of the data leak.
Upon being notified by VPNMentor researchers, TrueDialog closed the database Friday, the researchers note in the blog post. TrueDialog, an SMS provider that enables U.S. companies, colleges and universities to send bulk text messages, declined to comment to Information Security Media Group about the issue.
VPNMentor researchers Noam Rotem and Ran Locar say they discovered on Nov. 26 the leaky Microsoft Azure database that hosted 604 GB of data and contained close to 1 billion entries on TrueDialog’s customer and business data.
“This was a huge discovery, with a massive amount of private data exposed, including tens of millions of SMS text messages,” Rotem and Locar note in the blog. “Aside from private text messages, our team discovered millions of account usernames and passwords, PII data of TrueDialog users and their customers, and much more.”
The exposed data consisted of years of information on TrueDialog’s business model, the company’s conversations with its customers and their account details, the researcher note.
Because the data was stored in an unencrypted format, researchers note that millions of TrueDialog’s customer account logins stored in clear text remained accessible.
The two researchers say they were able to access the data by manipulating the URL search criteria of the servers.
“The company uses an Elasticsearch database, which is ordinarily not designed for URL use,” the researchers note. “However, we were able to access it via browser and manipulate the URL search criteria into exposing the database schemata.”
Because the exposed data included over 10 million SMS messages sent via TrueDialog, and a technical log, which describes how the database is structured and managed, VPNMentor researchers claim that threat actors could use the information to help wage attacks against both businesses and their customers. Potential business threats, they say, include account takeover attempts and corporate espionage. Customers could also face the threats of identity theft, phishing campaigns and financial extortion, they say.
“This is another fallout of the unencrypted message system that TrueDialog uses,” Rotem and Locar say. “It would be easy for a corporate spy to read confidential messages that were sent by a rival company. That data could include marketing campaigns, roll out dates for a new product, new product designs or specs and much more.”
A Recurring Issue
As part of an ongoing research project, Rotem and Locar have come across numerous databases that have been left unsecured by their owners.
For example, the researchers recently discovered an unsecured Amazon Web Services belonging to PayMyTab, a company that provides U.S. restaurants with mobile payment apps and devices, left payment card and other customer data exposed. (see: PayMyTab Exposes Restaurant Customer Data: Report ).
Earlier, the two researchers found an unsecured database owned by an Ecuadorian consulting company left over 20 million records on the South American country’s citizens exposed to the internet. The report sparked a police investigation and led Ecuador’s president to advocate a new privacy law (see: Investigation Launched After Ecuadorian Records Exposed ).