Security researchers have discovered a massive database, exposed online, containing tens of millions of SMS messages sent by businesses to potential customers. The database is managed by an enterprise SMS provider called TrueDialog that allows organizations and universities to send bulk text messages to their customers and students. However, the service also offers recipients of these messages the ability to send messages so they can chat back and forth with these companies. The TrueDialog database contained several years of SMS messages sent and received by its customers. Since the database was left unsecured online with no password, anyone could view these unencrypted messages. The initial discovery of the exposed database was made by Noam Rotem and Ran Locar of the vpnMentor research team.
Database content.
After reviewing some of the exposed data, TechCrunch discovered that the data contained detailed records of messages sent by TrueDialog customers, including their phone numbers and the content of their messages. The database contained corporate marketing messages, job alerts, and other offers sent to clients, but also stored sensitive text messages, such as authentication codes, at the same time. Two factors and safety messages. By using the information contained in these messages, anyone could have attempted to access users' online accounts. The data also contained the usernames and passwords of TrueDialog's own customers, which could also have been used to access and impersonate their accounts. Another surprising discovery was that some of the two-way message conversations contained a unique conversation code. Using this code, anyone could have read entire threads of conversations between companies and their customers. This is just the latest case of a database not being secured online, but it also shows that SMS text messages don't provide a secure way to send sensitive data like Two-Factor Authentication Codes. Via TechCrunch