Unencrypted SMS database found online, exposing millions of US text messages

A huge database of text messages and user data has been discovered online, completely unprotected and free for anyone to browse.

Found by researchers from vpnMentor, the database belongs to US communications company, TrueDialog. Among the exposed data are not only tens of millions of SMS messages, but also private information including usernames and passwords.

See also:

• OnePlus suffers data breach, exposing personal details of online store customers
• Google is under investigation over its data collection practices
• Database containing details of nearly half a million gamers exposed in security lapse

The Texas-based company provides SMS services to educational establishments and businesses, including mass mailings, emergency announcements and marketing messages. Globally, the company has more than 5 billion subscribers, but it seems that the exposed database only relates to people in the US.

vpnMentor says that the TrueDialog database is 604GB in size, and is hosted by Microsoft Azure running on the Oracle Marketing Cloud in America. The company explains that the database was discovered, unecrypted and not protected by a password on November 26.

The vpnMentor research team discovered the breach in TrueDialog's database as part of a huge web mapping project. Our researchers use port scanning to examine particular IP blocks and test open holes in systems for weaknesses. They examine each hole for data being leaked.

When they find a data breach, they use expert techniques to verify the database’s identity. We then alert the company to the breach. If possible, we will also alert those affected by the breach.

Our team was able to access this database because it was completely unsecured and unencrypted. The company uses an Elasticsearch database, which is ordinarily not designed for URL use. However, we were able to access it via browser and manipulate the URL search criteria into exposing the database schemata.

The purpose of this web mapping project is to help make the internet safer for all users.

As ethical hackers, we're obliged to inform a company when we discover flaws in their online security. This is especially true when the companies data breach contains such private information. However, these ethics also mean we carry a responsibility to the public. TrueDialog users must be aware of a data breach that impacts them also.

The database was found to contain nearly a billion entries with sensitive data, including:

• TrueDialog Account Login: There were millions of email addresses, usernames, cleartext passwords, and base64 encoded passwords which are easy to decrypt that were easily accessible.
• Account User Details: There were hundreds of thousands of entries with details about users including full names, phone numbers, addresses, emails and more.
• Tens of millions of text messages containing data such as:
  • Full names of recipients, TrueDialog account holders and TrueDialog users
  • Content of messages
  • Email addresses
  • Phone numbers of recipients and users
  • Dates and times messages were sent
  • Status indicators on messages sent, like Read receipts, replies, etc.
  • TrueDialog account details

The findings of vpnMentor's Noam Rotem and Ran Locar have been verified by TechCrunch. Upon being contacted by TechCrunch, TrueDialog took the insecure database offline, but refused to answer questions about the security incident.

Image credit: antstang / Shutterstock