Data leak leaves tens of millions of text messages exposed

The messages, which included password reset links, two-factor authentication codes and shipping notifications, were left exposed on a server

Chiara Giordano
Saturday 17 November 2018 17:09
comments

Tens of millions of text messages have been exposed on a company’s database by a security lapse.

The messages, which included password reset links, two-factor authentication codes and shipping notifications, were exposed on a server belonging to Voxox.

Alarmingly, the San Diego-based communications company’s server was not password protected, meaning anyone who knew where to find it could easily snoop.

Berlin-based security researcher Sébastien Kaul found the database had just over 26 million text messages when it was taken offline by Voxox following an inquiry by TechCrunch.

But the volume of messages processed through the platform per minute suggests this figure may be higher.

Each record included the recipient’s mobile phone number, the message, the Voxox customer who sent the message, and the shortcode they used – although the codes themselves would only have been usable for a very short amount of time.

Voxox acts as a gateway for companies such as Amazon by converting shipping codes or two-factor authentication codes into text messages to be passed on to customers’ mobile phones.

And apps such as Viber ad HQ Trivia use the technology to verify a user’s phone number or send a two-factor authentication code.

Among its findings, TechCrunch discovered several Booking.com partners were sent their six-digit two-factor codes to log in to the company’s extranet corporate network.

It also found several small to mid-size hospitals and medical facilities sent reminders to patients about their upcoming appointments, and in some cases, billing inquiries; and a password was sent in plaintext to a Los Angeles phone number by dating app Badoo.

Dylan Katz, a security researcher, told TechCrunch: “My real concern here is the potential that this has already been abused.

“This is different from most breaches, due to the fact the data is temporary, so once it’s offline any data stolen isn’t very useful.”

Kevin Hertz, Voxox’s co-founder and chief technology officer, told TechCrunch in an email that the company was “looking into the issue and following standard data breach policy at the moment” and that the company was “evaluating impact”.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

View comments