A Massive Database containing tens of millions of text messages, including password reset links, two-factor codes, shipping notifications and more were exposed from a Server belonging to Voxox (formerly Telcentris), in San Diego California.
Apparently, the server wasn’t protected with a password, allowing anyone with even low hacking experience to snoop on a near-real-time stream of text messages. Worse, the database — running on Amazon’s Elasticsearch — was configured with a Kibana front-end, making the data within easily readable, browsable and searchable for names, cell numbers and the contents of the text messages themselves.
Often, app developers — like HQ Trivia and Viber — will employ technologies provided by firms like Telesign and Nexmo, either to verify a user’s phone number or to send a two-factor authentication code, for example. But it’s firms like Voxox that act as a gateway and converting those codes into text messages, to be passed on to the cell networks for delivery to the user’s phone.
Kats said: “My real concern here is the potential that this has already been abused. This is different from most breaches, due to the fact the data is temporary, so once it’s offline any data stolen isn’t very useful.”
After this major breaking news, the database went offline. At the closure time, the database appeared to have almost 26 million text messages until now, but based on researches, it is believed that the number could be higher. Based on the data review this is the list of information that was found leaked:
- Password sent in plaintext to a Los Angeles phone number by dating app Badoo;
- Several Booking.com partners were sent their six-digit two-factor codes to log in to the company’s extranet corporate network;
- Fidelity Investments also sent six-digit security codes to one Chicago Loop area code;
- Many messages included two-factor verification codes for Google accounts in Latin America;
- A Mountain View, Calif.-based credit union, the First Tech Federal Credit Union, also sent a temporary banking password in plaintext to a Nebraska number;
- Shipping notification text sent by Amazon with a link, which opened up Amazon’s delivery tracking page, including the UPS tracking number, en route to its destination in Florida;
- Messenger apps KakaoTalk and Viber, and quiz app HQ Trivia use the service to verify user phone numbers;
- Messages that contained Microsoft’s account password reset codes and Huawei ID verification codes;
- Yahoo also used the service to send some account keys by text message;
- And, several small to mid-size hospitals and medical facilities sent reminders to patients about their upcoming appointments, and in some cases, billing inquiries.
Many companies, including Facebook, Twitter and Instagram, have rolled out app-based two-factor authentication to thwart SMS-based verification, which has long been seen as vulnerable to interception.