An open database at text messaging solution company TrueDialog left user SMS messages exposed for months, putting nearly a billion records and “millions of Americans at risk,” according to the researchers who discovered the database, hosted by Microsoft Azure and running on the Oracle Marketing Cloud in the U.S.
In addition to private text messages, the vpnMentor research team, led by Noam Rotem and Ran Locar, found millions of account usernames and passwords, as well as PII of TrueDialog users and their customers, adding up to 604 GB of data. The researchers had no difficulty in determining the database was owned by TrueDialog – a company that provides SMS solutions for businesses and has more than 5 billion subscribers globally – because its host ID “api.truedialog.com” appeared throughout.
“Tens of millions of people were potentially exposed in a number of ways,” the researchers wrote in a blog post. “It’s rare for one database to contain such a huge volume of information that’s also incredibly varied.”
The researchers found entries in the database “that were related to many aspects of TrueDialog’s business model” and explained “the company itself was exposed, along with its client base, and the customers of those clients.”
Technical logs residing in the database “revealed important details as to how the database is structured and managed,” including “hundreds of thousands of entries that documented the communication between different phone numbers linked to” Eloqua by Oracle, TrueDialog’s marketing platform.
“We also found in the database logs of internal system errors as well as many http requests and responses, which means that whoever found it could see the site’s traffic,” the researchers wrote. “This could by itself had exposed vulnerabilities.”
After discovering the database on Nov. 26 and conducting an investigation, vpnMentor notified TrueDialog on Nov. 28. The researchers said the company didn’t reply, but closed the database on Nov. 29.
The incident exposed vulnerabilities that can arise in third-party ecosystems. “Putting blind trust into a service provider and assuming they’ll keep sensitive data safe is a recipe for disaster,” said Kelly White, CEO at RiskRecon. “That’s why it’s so important for companies to extend their ability to safeguard data across the networks of any third or fourth party with whom they interact, which means asking questions like whether service provers have taken the necessary precautions to keep sensitive data under lock and key.”