The private details of millions of Americans were left exposed for anyone to see on a massive database of text messages held by TrueDialog.
Based in Austin, Texas, 10-year-old TrueDialog works with over 900 cell phone operators, who use the service to contact more than five billion people globally. Services offered by TrueDialog include ways for companies to send out text messages en masse to customers, or in a bid to pick up new business. As well as marketing, TrueDialog's services are used by emergency alert systems and an education SMS solution.
- Adobe Creative Cloud data breach affects 7.5m customers
- Data breach weekly security report
- Words With Friends: Data of all 218 million mobile players stolen
The leaky server, which contained millions of unencrypted messages, was discovered by cybersecurity company vpnMentor, and not protected by a password. Anyone could view the text messages held by the server, then use the private information to conduct phishing campaigns, or sell the data to other parties.
As well as text messages, researchers at vpnMentor also discovered millions of account usernames and passwords belonging to TrueDialog's clients and their customers.
vpnMentor reports how the insecure database was discovered on November 26. Two days later, researchers contacted TrueDialog about the problem, and despite receiving no reply, the server was secured a day later, on November 29.
TrueDialog is a 10-yea-company based in Austin, TexasTrueDialog
"When we last looked at the database it included 604 GB of data, "vpnMentor said in a blog post published December 2, adding: "This included nearly one billion entries of highly sensitive data".
TrueDialog has not yet spoken publicly about the server. GearBrain has requested comment from TrueDialog and we will update this article when we get a reply.
The server was discovered as a part of a huge web mapping project undertaken by vpnMentor. The system scans servers online and tests access ports which may lead to a vulnerability. When a weakness is found, the company works to identify the database's identity, then alerts the owner. In this case, the server was completely unsecured and unencrypted.
The blog added: "It's difficult to put the size of this data leak into context. Hundreds of millions of people were potentially exposed in a number of ways. It's rare for one database to contain such a huge volume of information that's also incredibly varied."
As well as text messages sent to end users, the database contained details on TrueDialog's business model, along with its client base and the customers of those clients. Some passwords were stored in clear text, and while others were base64 encoded, vpnMentor said they are still "easy to decrypt".
Data exposed by the unprotected server included:
- Full names of recipients, TrueDialog account holders and TrueDialog users
- Content of messages
- Email addresses
- Phone numbers of recipients and users
- Dates and times messages were sent
- Status indicators on messages, like read receipts
- TrueDialog account details
vpnMentor added: "The impact of this data leak can have a lasting impression for hundreds of millions of users. The available information can be sold to both marketers and spammers."
As well as affecting customers, the leak could have led to rivals learning how TrueDialog's business works. The vpnMentor blog post explains: "Their competitors could have gotten a look into their backend and seen how the company is run from within. This would have given them a way to copy, or improve upon, the business model that has brought TrueDialog success...its competitors can also take advantage of the bad publicity the brand is going to receive, and even take over their customers."
There are also concerns over account takeover, corporate espionage, a loss of income and new leads, identity theft and fraud, phishing and phone or email scams, and blackmail.
This is an example of where regular consumers are put at risk through no fault of their own. All affected users can do is remain vigilant and look out for any communication - like text messages, emails and phone calls - which seem suspicious. These may have come from a malicious company which has taken your details from the leaking server.