Many companies use an SMS text messaging system that is different than the one you use on your phone. This is what the companies’ employees use to discuss their business with each other and customers. It’s something that tends to be trusted more than your own personal email.
However, these SMS systems should not be automatically trusted. The vpnMentor research team located a data breach of the TrueDialog communications company in the United States. A massive amount of private data was exposed, including tens of millions of text messages as well as user account information.
SMS Data Leak
Based in Austin, Texas, True Dialog has been in business for 10 years. It creates SMS solutions, including mass text messaging, marketing SMS options, urgent alerts, and Education SMS options for both large and small businesses. These solutions work with nearly 1000 cell phone operators with a customer base of 5 billion subscribers.
Along with private text messages, vpnMentor found usernames and passwords for millions of accounts and data from the users’ customers as well. The research team discovered that the company didn’t secure the database properly.
Once vpnMentor researchers learned the extent of the data leak, they contacted TrueDialog and shared the knowledge while also offering to help the company close the data leak. While the company closed its database, they did not reply to vpnMentor.
Microsoft Azure hosts the database that holds 604 GB of data, and it runs on the Oracle Marketing Cloud. Even TrueDialog itself was affected, along with its customers and the customers’ clients. Millions of email addresses, usernames, cleartext passwords, and base64-encoded passwords were easily accessible.
Not only was data left unprotected, but account credentials were left in cleartext, so anyone who accessed the database could log in to the company account and change the password. The data could include marketing campaigns, new product release designs or specs and release dates, etc.
The vpnMentor researchers found this data breach as part of a web-mapping project using port scanning to examine IP blocks and test open holes. After finding a data breach, they alert companies and try to also alert those who were affected. The TrueDialog database was astonishingly left completely unsecured and unencrypted.
No Results Known
While it’s known that data was left unprotected and TrueDialog has since closed the database, it’s not known what harm was done since the company did not respond to the researchers. Anyone using TrueDialog, though, should speak with their company to try to resolve the matter.
Are you a TrueDialog user? Does this make you less trusting of your company’s built-in messaging system? Tell us in the comments below how this data breach may have affected you.