Millions of text messages exposed in database security lapse

Free

Kamilah is stalking me
VVO Supporter 🍦🎈👾❤
Joined
Sep 22, 2018
Messages
5,976
Location
Underground in America
SL Rez
2008
Joined SLU
May 2009
SLU Posts
55565
A massive database storing tens of millions of SMS text messages, most of which were sent by businesses to potential customers, has been found online.

The database is run by TrueDialog, a business SMS provider for businesses and higher education providers, which lets companies, colleges, and universities send bulk text messages to their customers and students. The Austin, Texas-based company says one of the advantages to its service is that recipients can also text back, allowing them to have two-way conversations with brands or businesses.

The database stored years of sent and received text messages from its customers and processed by TrueDialog. But because the database was left unprotected on the internet without a password, none of the data was encrypted and anyone could look inside.
The key bits here:
The database contained information about university finance applications, marketing messages from businesses with discount codes, and job alerts, among other things.

But the data also contained sensitive text messages, such as two-factor codes and other security messages, which may have allowed anyone viewing the data to gain access to a person’s online accounts. Many of the messages we reviewed contained codes to access online medical services to obtain, and password reset and login codes for sites including Facebook and Google accounts.

The data also contained usernames and passwords of TrueDialog’s customers, which if used could have been used to access and impersonate their accounts.
 

Kara Spengler

Queer OccupyE9 Sluni-Goon
Joined
Sep 20, 2018
Messages
3,254
Location
SL: November RL: DC
SL Rez
2007
Joined SLU
December, 2008
SLU Posts
23289
BTW, those two factor authentication codes would not do you much good anyway. You already would have a compromised password. Then the code itself is usually only valid for a short period of time.
 

Sean Gorham

Verti's Minion
VVO Supporter 🍦🎈👾❤
Joined
Sep 19, 2018
Messages
86
SL Rez
2005
Joined SLU
2007-09-27
SLU Posts
1928
I really wish companies would stop using SMS for two-factor authentication. IT. IS. NOT. SECURE. THAT WAY. I swear, these people have never heard of man-in-the-middle attacks... :beatup:
 

Kara Spengler

Queer OccupyE9 Sluni-Goon
Joined
Sep 20, 2018
Messages
3,254
Location
SL: November RL: DC
SL Rez
2007
Joined SLU
December, 2008
SLU Posts
23289
I really wish companies would stop using SMS for two-factor authentication. IT. IS. NOT. SECURE. THAT WAY. I swear, these people have never heard of man-in-the-middle attacks... :beatup:
Security is often a 'check the box' thing. I keep saying one of these days I will break down and buy a WiFi Pineapple just so I can run an open wifi network that is 1 page telling people that opening an unknown unprotected wifi connection is fucking idiotic!
 
  • 1Like
Reactions: Brenda Archer
Joined
Sep 19, 2018
Messages
1,520
Location
NJ near Philly
SL Rez
2003
SLU Posts
4494
Security is often a 'check the box' thing. I keep saying one of these days I will break down and buy a WiFi Pineapple just so I can run an open wifi network that is 1 page telling people that opening an unknown unprotected wifi connection is fucking idiotic!
There are tradeoffs.
1. If my traffic can be viewed I don't care much if they see this post, well maybe a little.
2. This post is being created over https so good luck viewing it. I suppose if they somehow forged the server certificate it could be done.
3. I deal with two banks. The big national one lets me use lastpass autofills on my phone. The small local one does not. So I have to resort to a relatively short typeable password with them which is bad for my security.
 

Sean Gorham

Verti's Minion
VVO Supporter 🍦🎈👾❤
Joined
Sep 19, 2018
Messages
86
SL Rez
2005
Joined SLU
2007-09-27
SLU Posts
1928
1. If my traffic can be viewed I don't care much if they see this post, well maybe a little.
2. This post is being created over https so good luck viewing it. I suppose if they somehow forged the server certificate it could be done.
3. I deal with two banks. The big national one lets me use lastpass autofills on my phone. The small local one does not. So I have to resort to a relatively short typeable password with them which is bad for my security.
1. Securing only the important traffic puts up a red flag to anyone (or whatever computer) might be monitoring it. If all your traffic is secured they have to figure out what's what. More work for them. You (the general you here) wouldn't send letters without an envelope, would you? Of course not - you always use them.

2. HTTPS is good and necessary, but not perfect, and not sufficient by itself. Defense in depth (secured wifi, a VPN, etc.) in addition to HTTPS is never a bad idea.

3. Perhaps try a different password manager? The only one I'm intimately familiar with is 1Password (a paid app) but it's never had trouble filling in passwords on any device, on any site, ever. You should (almost) never have to type in a password by hand these days. Worst case, you should be able to cut-and-paste the password into the correct field. Then hopefully the password manager will clear out the clipboard for you.
 
Joined
Sep 19, 2018
Messages
1,520
Location
NJ near Philly
SL Rez
2003
SLU Posts
4494
1. Securing only the important traffic puts up a red flag to anyone (or whatever computer) might be monitoring it. If all your traffic is secured they have to figure out what's what. More work for them. You (the general you here) wouldn't send letters without an envelope, would you? Of course not - you always use them.
If I was using an insecure site for my web access it would be someplace like a coffee shop where I would only be there a short time anyway. As for envelopes, I don't have a problem with postcards. I haven't mailed anything in around a year it seems.

2. HTTPS is good and necessary, but not perfect, and not sufficient by itself. Defense in depth (secured wifi, a VPN, etc.) in addition to HTTPS is never a bad idea.
It's mainly a bad idea when it is more trouble to do than it is worth. Paying for a vpn to post this would be an example.

3. Perhaps try a different password manager? The only one I'm intimately familiar with is 1Password (a paid app) but it's never had trouble filling in passwords on any device, on any site, ever. You should (almost) never have to type in a password by hand these days. Worst case, you should be able to cut-and-paste the password into the correct field. Then hopefully the password manager will clear out the clipboard for you.
You would think. It seems the bank app actively looks for stuff that is pasted. Maybe it is rejecting text in the password field that is pasted within 1/10 of a second. It's pretty darned stupid but their is no other bank that fits my needs here. I mostly just use their website on a pc that doesn't have that problem. The problem is just on a phone.