Major security breach exposes millions of SMS messages

Joanna Estrada
November 19, 2018

As reported by TechCrunch, the flaw is found in the server of Voxox (formerly Telcentris), a US-based communications firm.

Security researcher Sébastien Kaul found the server easily on Shodan, a search engine for publicly available devices and databases.

Two-factor authentication (2FA) can be one of the best ways of securing your data; that is, unless the codes are kept on an insecure server, leaving millions of password-reset links, cell phone numbers, text message contents, and two-factor codes easily searchable and readable.

Voxox is the gateway between companies that send out messages that verify phone numbers or send two-factor authentication codes, and the end recipients.

SMS appeared on the network in real-timeOver 26 million SMS messages exchanged between clients of a telecommunications company Voxox, based in California, was in the public domain. Among the information reportedly discovered were security codes sent by Fidelity Investments, a temporary banking password sent by a Silicon Valley credit union and an Amazon tracking notification with UPS tracking information.

Mike Godfrey, chief executive at security firm Insinia Security, said: "With text messages used for two factor authetication, we all knew this was a bad idea because hackers can get access to text messages".

According to Dylan Katz, another security researcher who reviewed the findings, the data might have already been snapped up and used by malicious third parties.

"Our resources are looking into the issue and following standard data breach policy at the moment", Barrett Brown, director of customer service at Vovox, said in a statement.

Other reports by Click Lancashire

Discuss This Article