SMS company exposes millions of text messages, credentials online

Researchers have found yet another massive database inadvertently exposed online, leaking millions of records.

This time, it was a database of SMS messages from enterprise texting services provider TrueDialog, and the people that found it claim that the exposure could have compromised tens of millions of people.

Researchers Noam Rotem and Ran Locarat at vpnMentor first found the database on Microsoft’s Azure cloud platform on 26 November 2019. It displayed what they described as a “massive amount of private data”, including tens of millions of SMS text messages. Also in public view were millions of account usernames and passwords, they said.

Founded in 2008, Texas-based TrueDialog provides SMS solutions for businesses, enabling them to send mass texts for marketing purposes, along with sector-specific applications such as student SMS notifications for the education industry.

According to a blog post on the vpnMentor website, the database contained 604 GB of data comprising nearly a billion entries. These included email addresses, usernames, passwords stored in plain text, and some other passwords using base64 encoding (which is a system used to preserve data integrity during transmission, rather than a password protection encryption mechanism).

Aside from the account logins, the researchers also found message content, the full names of recipients and TrueDialog account holders, and phone numbers. They added:

We also found in the database logs of internal system errors as well as many http requests and responses, which means that whoever found it could see the site’s traffic. This could by itself had exposed vulnerabilities [sic].

The leaky system logs could also have given competitors a look at TrueDialog’s backend systems and potentially a way to gain a competitive edge over the company, vpnMentor’s blog post suggested. It also warned that anyone who accessed the data could have taken over user accounts and engaged in corporate espionage by snooping on account holders’ SMS texts or even stealing leads generated by the SMS system.

An improperly configured Elasticsearch database was to blame, according to vpnMentor. This database is not designed to be accessible via a URL, but administrators can manually set it up for remote access. Inappropriate data disclosures via poorly configured Elasticsearch databases are a common occurrence.

This appears to be what happened here, as the researchers were able to access the database via the browser and change search parameters to expose the database schema. They also found information linking the database to TrueDialog in the form of the company’s host ID, api.truedialog.com.

TrueDialog chief executive John Wright told us:

We were notified on Thursday that for a short period text message logs between our business customers and individuals were potentially accessible on one of our Azure servers. The data was located at a non-published network port which is now secured. We have internally found no evidence that the data was downloaded or viewed by anyone other than the security analyst who notified our company that the data was potentially accessible.

He added:

Our initial analysis revealed that approximately 97 percent of the message logs at issue were records of one-way bulk text alerts and generic replies, such as recurring text subscriptions and opt-out requests, which contained no personally identifiable information. Although our review of the data is still ongoing, we have so far been able to determine that 99.6 percent of the total message logs contain no personally identifiable information.

Note that this response doesn’t directly address vpnMentor’s claim that it found PII including account holder details in the database.

Wright continued:

We have initiated an external security audit to further assess this incident and our safeguards to detect and prevent unauthorized access to our business records. We are continuing to review the remaining message log data and will notify relevant parties in the event we learn any additional facts that would trigger additional concerns under applicable law.