Security researchers have discovered a massive database, which was left exposed online, that contains tens of millions of SMS text messages sent by businesses to potential customers.
The database is run by a business SMS provider called TrueDialog that allows organizations and colleges to send out bulk text messages to their customers and students. However, the service also gives recipients of these messages the ability to text back so that they can have two-way conversations with those businesses.
TrueDialog’s database contained years worth of SMS messages that had been sent and received by its customers. Since the database was left unsecured online without a password, anyone could look at these messages which were also not encrypted.
The initial discovery of the exposed database was made by Noam Rotem and Ran Locar from vpnMentor’s research team.
After examining a portion of the exposed data, TechCrunch found that it contained detailed logs of messages sent by customers who used TrueDialog’s system including their phone numbers and the contents of their messages.
The database itself contained marketing messages from businesses, job alerts and other offers sent out to customers but it also stored sensitive text messages such as two-factor authentication codes and security messages. Using the information contained in these messages, anyone could have potentially tried to gain access to users’ online accounts.
The data also contained the usernames and passwords of TrueDialog’s own customers which could have also been used to access and impersonate their accounts.
Another startling discovery was the fact that some of the two-way message conversations contained a unique conversation code. Using this code, anyone could have been able to read entire chains of conversations between businesses and their customers.
This is just the latest case of a database being left unsecured online but it also shows how SMS text messages are not a secure way to send sensitive data such as two-factor authentication codes.