TrueDialog Suffers Data Leak: 1 Billion Text Messages Exposed

TrueDialog is the latest company to suffer a data leak. An estimated 1 billion text messages housed in a 602GB database has been exposed.

It is yet another massive security incident. This time, a Texas-based company known as TrueDialog is the company blamed for the security lapse. If you send or receive text messages, it could affect you. The database in question was left unsecured on an open server and left unencrypted for anyone to see. That database has since been secured after VPNMentor contacted the company, though TrueDialog reportedly never responded to VPNMentor after.

From TechCrunch:

TechCrunch examined a portion of the data, which contained detailed logs of messages sent by customers who used TrueDialog’s system, including phone numbers and SMS message contents. The database contained information about university finance applications, marketing messages from businesses with discount codes, and job alerts, among other things.

But the data also contained sensitive text messages, such as two-factor codes and other security messages, which may have allowed anyone viewing the data to gain access to a person’s online accounts. Many of the messages we reviewed contained codes to access online medical services to obtain, and password reset and login codes for sites including Facebook and Google accounts.

The data also contained usernames and passwords of TrueDialog’s customers, which if used could have been used to access and impersonate their accounts.

Because some of the two-way message conversations contained a unique conversation code, it’s possible to read entire chains of conversations. One table alone had tens of millions of messages, many of which were message recipients trying to opt-out of receiving text messages.

While the post says that millions were exposed, VPNMentor was able to give more precise numbers. From VPNMentor:

The TrueDialog database is hosted by Microsoft Azure and runs on the Oracle Marketing Cloud in the USA. When we last looked at the database it included 604 GB of data. This included nearly 1 billion entries of highly sensitive data, which we’ll detail below.

VPNMentor also points out how such an incident could have been avoided:

TrueDialog could have easily avoided this leak if it had taken some basic security measures to protect the database. These include, but are not limited to:

  1. Secure your servers.
  2. Implement proper access rules.
  3. Never leave a system that doesn’t require authentication open to the internet.

Any company can replicate the same steps, no matter its size.

As both articles point out, the database is valuable for a number of fraudsters. This includes those who wish to impersonate the accounts, scammers, and plenty of others.

The numbers behind the leak is quite atypical for what we report on. What’s frightening in this, though, is that it isn’t even the largest security incident we’ve reported in the last 30 days. That title belongs to another data leak which involved 1.2 billion “enriched” accounts. The ownership of the database is still being determined.

This month, we’ve already reported on one other fairly significant security incident. That is, of course, the MixCloud data breach. In all, 21 million users were exposed in that one.

One thing is for sure, security incidences are starting a rather worrying trend: they are seemingly getting larger. For those keeping track, the title for largest security incident still belongs to Yahoo! back in 2013 where an estimated 3 billion accounts were affected. Some reports are questioning whether this or the 1.2 billion account data leaks are the largest ever. The answer, unfortunately, is “no”. Still, those numbers are climbing. At this rate, we can only be left wondering how long Yahoo! will hold that title.

Drew Wilson on Twitter: @icecube85 and Facebook.



1 Trackback or Pingback

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: