A researcher uncovered a massive SMS Bombing Operation in a passwordless database that exposed the sensitive information of millions of users.
Security researcher Bob Diachenko discovered an open and unprotected MongoDB instance containing a massive amount of data including MD5 hashed emails, first and last names, location data, IP address, phone number, mobile network carrier and line type (mobile or landline).
The MongoDB instance was named ApexSMS index and is also the name of a SMS Bombing program with the same name that is highly advertised on hacker or black hat forums.
SMS Bombing is when threat actors use a software program to duplicate the same messages multiple times or rotates different messages and sends the messages to a number of their choice for either a prank, harassment, or marketing products and services.
Diachenko said it appears the alleged owners of the database may have an official cover as mobiledrip(dot)com, however, this is still to be confirmed as they never received confirmation from anybody at MobileDrip.
The company claims its services can allow customers to send more than five million SMS messages per month.
While the site claims that it doesn’t engage is spam, the researchers said the database contained the messages, that were designed to trick people into clicking links by pretending to be a referral from a friend or family member, sent to millions of people.
The script also tracked responses or actions and in one of the SMS messages received by the platform replied, “Nathan is married and didn’t talk to you yesterday because I his wife had this phone. Text this phone I’ll have you charged with harassment.”
Diachenko said it unclear how long the instance was accessible or who else may have accessed the contacts but said it does raise the issue once again that data security can affect legitimate businesses and what many would consider “gray marketing” at best.