Tens of millions of private text messages and security codes exposed
BERLIN, Germany – November 16, 2018
According to the Telegraph, tens of millions of text messages and security codes were exposed in an online database that did not even have a password, TechCrunch’s security researchers have found.
The database of text messages, used by companies to send password reset information, shipping notifications and security codes, was left exposed by communications company Voxox.
The files included 26 million records of text messages this year alone, according to TechCrunch. Password verification messages for Google accounts, Amazon delivery tracking notices, messaging apps and security codes for major financial investment companies were all included in the leak.
The exposed server could be found by Sébastien Kaul, a Berlin-based security researcher, using a search engine for public devices and databases named Shodan. It was not password protected, meaning anyone could enter and access the data.
Exposed on the database was a stream of near real-time messages. However, the access codes in these would typically only have worked for a few minutes after they had been sent.
The leak shows the risks of text message-based communications with companies that are easier to intercept than encrypted digital messages.
App developers and websites often employ technology companies to verify a phone number with a user’s account and send it information, like a login access code for two-factor authentication.
San Francisco-based Voxox was one of those middlemen companies, converting the messages into text for delivery to users.
Apps including messaging service Viber and Kakao used the service for verifying phone numbers, as did quiz app HQ Trivia.
Mike Godfrey, Chief Executive at security firm Insinia Security, said: “With text messages used for two factor authentification, we all knew this was a bad idea because hackers can get access to text messages. With two factor security it makes the system worse because you are lulled into a false sense of security.”
The leaky nature of SMS communication, which travels on phone networks and can be compromised or fooled by hackers, has led some companies, such as Facebook and Google, to offer secure apps to verify users instead.
The systems behind SMS text messages has not been changed for decades, making it vulnerable to spoof messages and phishing.
Voxox told TechCrunch it was “looking into the issue and following standard data breach policy at the moment.”