Millions of text messages from bulk service provider found open on the internet

Businesses and educational institutions around the world that use the TrueDialog SMS bulk texting service are scrambling to assess the potential damage to their communications after news that security researchers discovered a huge database of unprotected messages from the Texas-based provider.

Researchers at vpnMonitor, a news site that reviews VPN solutions, said Sunday that as part of an ongoing project to discover unprotected databases on the internet they found one belonging to TrueDialog, a cloud-based provider of mass texting solutions used by companies and colleges. Not only were customer messages open, so were texts of TrueDialog employees.

TrueDialog clients use the company’s services to send bulk SMS messages for marketing blurbs, customer support texting, employee and student notifications, and two-way texting.

According to the researchers, TrueDialog works with over 990 cell phone operators and reaches more than 5 billion subscribers around the world.

After being contacted on Nov. 28 — two days it was discovered — the database was closed by the company. Still, it isn’t known how long the 604 GB of data with millions of messages — which were hosted by Microsoft Azure and ran on the Oracle Marketing Cloud in the U.S. — was open and if anyone copied the data. Nor is it clear why the database wasn’t encrypted.

Researchers said the texts included private messages as well as millions of account usernames, unencrypted passwords, personal information such as phone numbers and email addresses and TrueDialoge account details. Unless passwords are changed a hacker with the database could log into an account, change a user’s password and send damaging messages. Just as important, a person with the database could discover company secrets valuable to a competitor — or for ransom. And, of course, email addresses can be used for phishing.

“We also found in the database logs of internal system errors as well as many http requests and responses, which means that whoever found it could see the site’s traffic,” researchers said. “This could by itself had exposed vulnerabilities.”

Unlike encrypted apps like Apple Messages, Signal, WhatsApp, and Telegram, standard SMS messages are unencrypted.

The researchers suggest the discovery is evidence of poor access control as well as a failure to encrypt a vital corporate asset.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now