Millions of text messages leaked through exposed TrueDialog server

A trove of highly sensitive data of more than a billion entries was exposed through an unsecured database run by a US-based enterprise communications firm.

More than 604GB of data, including usernames and plaintext passwords as well as personally identifiable information, was exposed after SMS messaging service provider TrueDialog failed to properly secure its database, researchers claim.

The data, which was publicly accessible using a URL search, included login details and the full contents of SMS messages, which often included other sensitive information like phone numbers, email addresses and the dates and times messages are sent.

Discovered as part of vpnMentor's web mapping project, the unsecured and unencrypted database exposed the details of potentially tens of millions of TrueDialog users and customers, which left many vulnerable to cyber attack.

The database also contained technical logs that showed how the database is structured and managed, as well as logs of internal system errors and many HTTP requests and responses, which could have exposed further vulnerabilities.

"This was a huge discovery, with a massive amount of private data exposed, including tens of millions of SMS text messages," said the research team, led by security experts Noam Rotem and Ran Locar.

"Aside from private text messages, our team discovered millions of account usernames and passwords, PII data of TrueDialog users and their customers, and much more."

"By not securing their database properly, TrueDialog compromised the security and privacy of millions of people across the USA."

The leak was discovered on 26 November and reported to the communications firm two days later once their ownership of the database was verified. TrueDialog closed the database a day later.

The data is hosted on a Microsoft Azure server and runs on the Oracle Marketing Cloud in the US.

The impact of this data leak can have a lasting impression for tens of millions of people, the research team added, with no telling whether the data was accessed by third parties.

Scammers can use the information to conduct fraud and identity theft, for example, as well as phishing scams online or by targeting people through phone calls. Blackmail is also a big risk, with cyber criminals able to glean private and potentially compromising material from plaintext SMS message content.

Industrial espionage is another potential issue, with the leak making it possible for a user's competitor to learn about marketing campaigns, roll out dates for new products, or even product design and specs, among many other areas.


Understanding the must-haves of modern data protection

Go beyond traditional backup and recovery


The vpnMentor team suggested the leak could have been prevented if TrueDialog "had taken some basic security measures" including securing the servers in the first place, implementing proper access rules, and not leaving a system that required no authentication open to the internet.

"Our team was able to access this database because it was completely unsecured and unencrypted," they continued.

"The company uses an Elasticsearch database, which is ordinarily not designed for URL use. However, we were able to access it via browser and manipulate the URL search criteria into exposing the database schemata.

"The purpose of this web mapping project is to help make the internet safer for all users. As ethical hackers, we're obliged to inform a company when we discover flaws in their online security. This is especially true when the companies data breach contains such private information."

Exposed databases have been identified as the source of various leaks and breaches in recent times across both small and large companies.

Biometric information including registered fingerprints belonging to one million people was exposed earlier this year, for example, when the Biostar 2 database was accidentally made unprotected.

In September, meanwhile, the personal data on every Ecuadorian citizen was leaked online through an exposed AWS server.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.