Massive Database Leak Leads to Millions of Messages being Exposed

Marco Green
December 4, 2019

"We disclosed our findings and offered our expertise in helping them close the data leak and ensure nobody was exposed to risk", the researchers said.

The blog added: "It's hard to put the size of this data leak into context".

But the data also contained sensitive text messages, such as two-factor codes and other security messages, which may have allowed anyone viewing the data to gain access to a person's online accounts. After contacting TrueDialog but not hearing back from the company, TechCrunch contacted the company.

Rotem and Locar discovered the Microsoft Azure-hosted TrueDialog database last week.

Because the data was stored in an unencrypted format, researchers note that millions of TrueDialog's customer account logins stored in clear text remained accessible. Still, it isn't known how long the 604 GB of data with millions of messages - which were hosted by Microsoft Azure and ran on the Oracle Marketing Cloud in the US - was open and if anyone copied the data.

"The company uses an Elasticsearch database, which is ordinarily not designed for URL use".

Businesses and educational institutions around the world that use the TrueDialog SMS bulk texting service are scrambling to assess the potential damage to their communications after news that security researchers discovered a huge database of unprotected messages from the Texas-based provider. In a blog post, the researchers say the database had ties to several areas of TrueDialog's wider business. "It would be easy for a corporate spy to read confidential messages that were sent by a rival company".

As part of an ongoing research project, Rotem and Locar have come across numerous databases that have been left unsecured by their owners. They believe text messaging firm TrueDialog - an SMS provider for businesses and higher education providers - is responsible for the leak.

The leaky server, which contained millions of unencrypted messages, was discovered by cybersecurity company vpnMentor, and not protected by a password. The report sparked a police investigation and led Ecuador's president to advocate a new privacy law (see: Investigation Launched After Ecuadorian Records Exposed ).

Other reports by Click Lancashire

Discuss This Article