Another California-based communications provider has announced a potential security incident, as VOIPo confessed that it left a database containing seven million call logs, six million text messages and other internal documents containing unencrypted passwords unprotected without a password.
After security researcher Justin Paine notified the company, he wrote, “This database was promptly secured after I notified the company. I would like to thank VOIPo for their quick assistance in securing this data.”
In the security notice shared with customers, VOIPo wrote: “We were made aware of a development server that was exposed for a small window of time. When it was discovered, it was taken offline within 15 minutes of being notified by Cloudflare that they had discovered it. It primarily had some data for database load testing made up of call logs (partial numbers only), SMS messages our system flagged as SPAM and some general server log data."
VOIPo said the dev server was isolated and no other network was at risk because additional production systems are firewalled so that any connection to those systems would not have been possible. However, these statements have been called "misleading" on Twitter.
The VOIPo database reportedly had been exposed since June 2018 and contains call and message logs dating back to May 2015. The news comes only two months after a database misconfiguration at San Diego–based Voxox leaked 26 million text messages. As was the case in the Voxox breach, if text messages containing two-factor authentication (2FA) codes or password reset links were intercepted, they could have allowed the attacker to hijack a user’s account.
“It does not take much for outsiders to find unsecured databases and access sensitive information,” said Stephan Chenette, CTO and co-founder, AttackIQ. “In fact, there are now tools designed to detect misconfigurations within cloud tools like Amazon's S3. Misconfigured security controls are an all-too-common problem. Organizations are increasingly struggling with limited and under-trained IT resources that lead to using default account passwords, unpatched systems and poorly configured network devices.”
Although VOIPo claims there is no evidence to indicate a breach occurred, “the company cannot guarantee that no unauthorized users accessed the data, especially since it was left unsecured and easily available for months,” said Ruchika Mishra, director of products and solutions, Balbix.