/ Photo by Jon Moore on Unsplash
In the vastness of the network, they discovered a gigantic database with tens of millions of SMS messages, most of which were sent by companies to potential buyers.
The database was owned by TrueDialog, an SMS provider for businesses and universities that allows companies, colleges and universities to create mass mailings to customers and students. According to the company, one of the advantages of the service is the ability for the recipient to send a response message, which allows the business to conduct a two-way conversation with its audience.
The leaked database contains text messages that for several years were sent and received by clients of companies through TrueDialog. But due to the fact that the database was stored on the Internet without any protection, password or encryption, any user could access it.
Security experts Noam Rotem and Ran Locar discovered a leaked database earlier this month as part of an Internet scanning project. The TechCrunch portion of the data contains detailed logs of messages from clients using TrueDialog, including phone numbers and SMS content. Among other things, the database contains information about the financial applications of universities, advertising messages with codes for discounts and vacancies.
The database is also extremely sensitive data: Messages with two-factor authentication codes and other security notices that could potentially allow attackers to gain control over someone else’s accounts. Many messages contained keys for access to online medical services, as well as codes for resetting passwords and accessing such portals as Facebook and Google.
The database also stores the user names and passwords of TrueDialog clients, which can be used to gain access to their accounts and disclose the secrets of their identities. With the help of unique conversation codes contained in SMS-dialogs, it was possible to gain access to full correspondence. One of the tables in the database included tens of millions of SMS, many of which belonged to individuals who want to unsubscribe from receiving messages.
TechCrunch managed to contact TrueDialog about the leak, after which the database instantly turned out to be offline. Despite the fact that he managed to establish contact with TrueDialog CEO John Wright several times, he did not give any comments and refused to acknowledge the leak. Wright also did not answer any of TechCrunch's questions – even whether the company would inform its customers of a security breach and whether it planned to notify regulatory authorities, such as state attorney generals.
TrueDialog is just one of many SMS providers that have exposed sensitive data to the entire Internet in recent months. Is this yet another example of the fact that SMS, despite the convenience of their use, is not a safe way to communicate? In particular, when it comes to sensitive data such as two-factor authentication codes.