Tens of millions of Americans may have been caught in another data leak after business SMS provider TrueDialog left a massive database exposed online, according to researchers.
The team at vpnMentor discovered the Oracle Marketing Cloud database hosted on Microsoft Azure in the US. It was apparently left wide open, exposing 604GB — or one billion entries — of sensitive information.
“It’s difficult to put the size of this data leak into context. Tens of millions of people were potentially exposed in a number of ways. It’s rare for one database to contain such a huge volume of information that’s also incredibly varied,” vpnMentor claimed.
“The database contained entries that were related to many aspects of TrueDialog’s business model. The company itself was exposed, along with its client base, and the customers of those clients.”
TrueDialog’s clients are mainly businesses and higher education institutions, which use its services to send out bulk marketing missives and alerts to their customers/students.
The leak exposed the full names, email addresses and phone numbers of SMS recipients as well as the content of messages, plus clear-text and easily decryptable base64-encoded account log-ins for TrueDialog clients.
This could theoretically have been used in account takeover (ATO) attacks targeted at those TrueDialog business clients, plus identity fraud/phishing and even blackmail efforts against SMS recipients. The TrueDialog service allows for two-way communication between business and customer, so texts contained plenty of personal information sent by the latter, according to vpnMentor.
Although the SMS giant fixed the issue a day after being contacted by the researchers, it offered no response to them.
The firm apparently works with nearly 1000 mobile phone operators and reaches more than five billion subscribers around the world.
Kelly White, CEO of RiskRecon, argued that every service provider is a potential source of data exposure today.
“It’s a trade-off that most enterprises make a thousand times in order to more effectively run their business, but putting blind trust into a service provider and assuming they’ll keep sensitive data safe is a recipe for disaster,” he added.
“That’s why it’s so important for companies to extend their ability to safeguard data across the networks of any third or fourth party with whom they interact, which means asking questions like whether service providers have taken the necessary precautions to keep sensitive data under lock and key. That includes using cloud storage that isn’t internet-facing in order to reduce unnecessary exposure.”