Skip to Content
Man using Apple iPhone
Security & privacy

Millions of text messages containing sensitive information exposed

We’ve all at some point or another requested a password reset or shipping confirmation from any number of businesses. And oftentimes those requests are answered by automated text messages.

But do you ever give a second thought to those SMS responses you receive? No? But what if sensitive information contained in some of those messages was left open for anyone to see?

That not only happened this week, but the information was apparently easy to find. And what’s worse is that it involved a shocking number of messages.

A database with millions of messages and no password

It’s unclear how long this would have gone unnoticed if it wasn’t for a security researcher out of Berlin named Sébastien Kaul. But Kaul says the massive – and open – database wasn’t hard to find while he was on a search engine for public databases. What he found was a server belonging to Voxox, previously known as Telcentris, a communications company based in San Diego. And that server wasn’t protected by a password.

Bonus: Passwords ‘Admin’ and ‘Password’ are against the law in this state

The database contained millions of texts, in a very close to real-time stream. And to make matters worse, it was configured in such a way that made the data easy to read and search; data that included names, numbers as well as message contents.

Detailed messages were discovered

Many messages on the open server contained password reset links. Others involved two-factor codes and some had shipping information. TechCrunch found the database had more than 26 million messages since the beginning of the year. It’s unknown if that number is completely accurate, as Voxox took the database offline when contacted by TechCrunch.

What’s concerning is that since the stream was almost real-time, the issue is that many of those texts could have been quickly intercepted and accounts could have been hijacked, depending on certain factors.

password on phone lock screen

To combat issues like this from ever arising, numerous companies already use app-based two-factor authentication, since it’s not as vulnerable as text messaging. Facebook, Twitter and Instagram are among those companies.

How are messages like these even sent?

A message going from a business to your phone can be a multi-step process involving several companies. App developers will often use outside companies to handle things like verifying a customer’s phone number or sending the two-factor code. The next step in that process is for firms such as Voxox to turn that information into text messages and get them delivered to phones.

In this incident, Voxox co-founder and chief technology officer Kevin Hertz said in an email to TechCrunch that the company “is looking into the issue…” and “evaluating impact.” App background

Check out the free App!

Get tech updates and breaking news on the go with the App, available in the Apple and Google Play app stores.

Get it today