Leave a comment

Millions of text messages containing sensitive information exposed

Millions of text messages containing sensitive information exposed
© Michał Rojek | Dreamstime.com

We've all at some point or another requested a password reset or shipping confirmation from any number of businesses. And oftentimes those requests are answered by automated text messages.

But do you ever give a second thought to those SMS responses you receive? No? But what if sensitive information contained in some of those messages was left open for anyone to see?

That not only happened this week, but the information was apparently easy to find. And what's worse is that it involved a shocking number of messages.

A database with millions of messages and no password

It's unclear how long this would have gone unnoticed if it wasn't for a security researcher out of Berlin named Sébastien Kaul. But Kaul says the massive - and open - database wasn't hard to find while he was on a search engine for public databases. What he found was a server belonging to Voxox, previously known as Telcentris, a communications company based in San Diego. And that server wasn't protected by a password.

Bonus: Passwords 'Admin' and 'Password' are against the law in this state

The database contained millions of texts, in a very close to real-time stream. And to make matters worse, it was configured in such a way that made the data easy to read and search; data that included names, numbers as well as message contents.

Detailed messages were discovered

Many messages on the open server contained password reset links. Others involved two-factor codes and some had shipping information. TechCrunch found the database had more than 26 million messages since the beginning of the year. It's unknown if that number is completely accurate, as Voxox took the database offline when contacted by TechCrunch.

What's concerning is that since the stream was almost real-time, the issue is that many of those texts could have been quickly intercepted and accounts could have been hijacked, depending on certain factors.

password on phone lock screen

To combat issues like this from ever arising, numerous companies already use app-based two-factor authentication, since it's not as vulnerable as text messaging. Facebook, Twitter and Instagram are among those companies.

How are messages like these even sent?

A message going from a business to your phone can be a multi-step process involving several companies. App developers will often use outside companies to handle things like verifying a customer's phone number or sending the two-factor code. The next step in that process is for firms such as Voxox to turn that information into text messages and get them delivered to phones.

In this incident, Voxox co-founder and chief technology officer Kevin Hertz said in an email to TechCrunch that the company "is looking into the issue..." and "evaluating impact."

Microsoft is ending passwords with this innovative move

Let's face it, passwords are not synonomous with great online security. Between data breaches, hacking and scams, they're just too vulnerable. That's why Microsoft wants something better.

Click or tap here to learn more about their plan to ultimately kill the password. 

Next Story
Source: TechCrunch
View Comments ()
Check this list of VPNs that are based in China
Previous Happening Now

Check this list of VPNs that are based in China

Are the iPhone XS, XS Max and XR in trouble?
Next Happening Now

Are the iPhone XS, XS Max and XR in trouble?