Find a database of tens of millions of short messages stored without encryption online



We found that tens of millions of messages delivered by SMS are stored without encryption in a large database that can be viewed by anyone without a password. Most of the messages were sent by companies to potential customers, but they also contained sensitive information such as account credentials.

Report: Millions of Americans at Risk After Huge Data and SMS Leak

Millions of SMS messages exposed in database security lapse | TechCrunch

The database in question is owned by TrueDialog . The company provides bulk SMS services for enterprises and higher education institutions to send large numbers of messages as business solutions using SMS messages. The advantage of the TrueDialog service is that the message recipient can reply to the text message as it is, making it easy for the company and the customer to have a two-way conversation.

TrueDialog's database discovered online contains SMS messages that the company's client companies have exchanged with customers for many years, but no passwords are set and encryption is performed. It wasn't. Therefore, anyone who knows where the database is stored or who discovered it by accident was able to check the contents of all messages.


Jamie Street

The database was discovered by Noam Rotem and Ran Locar, security researchers working for vpnMentor, which evaluates VPN services. The overseas technology media TechCrunch investigated some of the SMS messages stored in the database. The database contains information about university financial applications, marketing messages from companies using discount codes, job alerts, etc. It seems that was included.

The data also included text messages containing sensitive information, such as two-factor authentication codes and other security-related messages, so that anyone who had access to the data could easily access their personal online account. It ’s possible, ”TechCrunch points out. In addition, the messages in the database included codes for accessing and obtaining online medical services, and password reset URLs and login codes for Facebook and Google accounts.

In addition, it seems that the database contains account information such as user names and passwords used by TrueDialog customers.


TechCrunch has contacted TrueDialog about the database leak, and the database was immediately taken offline. However, even though TechCrunch has contacted TrueDialog CEO John Wright, TrueDialog has not acknowledged any data breaches and no answers to the questions.

in Security, Posted by logu_ii