A group of researchers from vpnMentor has discovered a database of text messages and user data that belongs to US communications company TrueDialog. The researchers revealed that in addition to containing SMS messages, the unencrypted database contains sensitive private information such as usernames and passwords.
In case you didn’t know, TrueDialog is a Texas-based company that provides SMS service to different business and organizations that require mass messaging system. Although the company has over 5 billion subscribers around the world, the unencrypted database contains information related to subscribers in the United States.
In a blog post, vpnMentor wrote:
The vpnMentor research team discovered the breach in TrueDialog’s database as part of a huge web mapping project. Our researchers use port scanning to examine particular IP blocks and test open holes in systems for weaknesses. They examine each hole for data being leaked.
When they find a data breach, they use expert techniques to verify the database’s identity. We then alert the company to the breach. If possible, we will also alert those affected by the breach.
Our team was able to access this database because it was completely unsecured and unencrypted. The company uses an Elasticsearch database, which is ordinarily not designed for URL use. However, we were able to access it via browser and manipulate the URL search criteria into exposing the database schemata.
The purpose of this web mapping project is to help make the internet safer for all users.
As ethical hackers, we’re obliged to inform a company when we discover flaws in their online security. This is especially true when the companies data breach contains such private information. However, these ethics also mean we carry a responsibility to the public. TrueDialog users must be aware of a data breach that impacts them also.
Shortly after the report, TechCrunch verified the claims and contacted TrueDialog. While the company took down the database shortly afterwards, it did not answer any question related to the security incident.