Another day, another unsecured cloud database. But this one’s huge and opens up multiple risks.
Who’s responsible this time? “Enterprise-Grade SMS Solutions” company TrueDialog describes itself as “an innovative communications-as-a-service company.” And its products “are ideal for businesses serious about scalability, security and compliance.”
Oops and oops again. In today’s SB Blogwatch, we try to grok the scale of this.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: CIA vs. “Ben.”
SMS DB Auth FAIL
What’s the craic? Zack Whittaker reports—“Millions of SMS messages exposed in database security lapse”:
The database is run by TrueDialog, a business SMS provider for businesses and higher education … which lets companies, colleges, and universities send bulk text messages to their customers and students [and] have two-way conversations. … The database stored years of sent and received text messages … none of the data was encrypted.
The data … contained detailed logs of messages sent by customers who used TrueDialog’s system, including phone numbers and SMS message contents. [It] contained information about university finance applications, marketing messages from businesses with discount codes, and job alerts, among other things.
The data also contained usernames and passwords of TrueDialog’s customers, which if used could have been used to access and impersonate their accounts. … Despite reaching out several times, TrueDialog’s chief executive John Wright would not acknowledge the breach nor return several requests for comment. Wright also did not answer any of our questions.
And Dalvin Brown adjusts for inflation—“‘Hundreds of millions of people’ may have had their text messages exposed”:
Some of your text messages may have been left exposed on the internet for the world to see. … The database contained access information to online medical services along with passwords and usernames to websites such as Google and Facebook.
The personal information contained in the text messages could be an asset to scammers; it could also be used in blackmail schemes and lead to identity theft and fraud.
TrueDialog, which creates text messaging solutions for small and large businesses, has since taken the logs offline. … The company reaches 5 billion subscribers worldwide.
Who found it? Noam Rotem and Ran Locar—“Huge Data and SMS Leak”:
This was a huge discovery, with a massive amount of private data exposed, including tens of millions of SMS text messages … millions of account usernames and passwords, PII data of TrueDialog users and their customers, and much more. [It’s] clear that this was a huge data breach.
The TrueDialog database is hosted by Microsoft Azure and runs on the Oracle Marketing Cloud in the USA. … It included 604 GB … of highly sensitive data. … It’s rare for one database to contain such a huge volume of information that’s also incredibly varied.
Millions of email addresses, usernames, cleartext passwords … were easily accessible within the database. … This means that anyone … would be able to log in to the company account … and do an incredible amount of damage.
There were hundreds of thousands of entries with details about users, including full names, phone numbers, addresses, [email addresses] and more. [Risks include] identity theft and fraud … phishing and scams [or] blackmail.
TrueDialog could have easily avoided this leak if it had taken some basic security measures. … We contacted the company … and offered our expertise in helping them close the data leak and ensure nobody was exposed to risk. … TrueDialog never replied to us.
Not a good look. breakingcups ignites the flamefest:
Though it doesn’t mention a timeline, this does seem like a way to pour gasoline onto a PR dumpster fire.
And Frank Wales—@fcw—foresees a pattern:
From their lack of response to those who found the breach, I suspect TrueDialog may not proactively contact all their customers or other affected people to let them know their data has been exposed.
But how does something like this happen? With a cynic’s eye, here’s Confused:
Some shady startup … customer relation enabler company was founded by a “digital-technology innovator.” … Being digital technology enabled, they probably called themselves something more glorious than spammers but that’s what they do.
They successfully sold their services to companies to lazy or stupid to do their own spamming. … Meanwhile back in the trenches, … the code cobbled together in a weekend while the company has struggling to find their first customer still works fine, doesn’t it?
We always see calls for legal sanctions when breaches happen. This one is no exception, as bumblebees now demonstrates:
There needs to be some criminal accountability for these things. From top brass to ****ty admins setting this up.
It was not by “accident.” … Door wide open and nobody home.
Meanwhile, tinus_hn draws the obvious conclusion:
Hence why SMS is not a valid part of any authentication system that should be secure.
The CIA Tried to Recruit Me
Previously in And Finally
You have been reading SB
by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or firstname.lastname@example.org. Ask your doctor before reading. Your mileage may vary. E&OE.
Image source: Christo Anestev (Pixabay)