Millions of text messages exposed in database security lapse

[Free]

Millions of SMS messages exposed in database security lapse

Exclusive: The exposed database was left unprotected without a password. None of the data was encrypted.

techcrunch.com

A massive database storing tens of millions of SMS text messages, most of which were sent by businesses to potential customers, has been found online.

The database is run by TrueDialog, a business SMS provider for businesses and higher education providers, which lets companies, colleges, and universities send bulk text messages to their customers and students. The Austin, Texas-based company says one of the advantages to its service is that recipients can also text back, allowing them to have two-way conversations with brands or businesses.

The database stored years of sent and received text messages from its customers and processed by TrueDialog. But because the database was left unprotected on the internet without a password, none of the data was encrypted and anyone could look inside.

The key bits here:

The database contained information about university finance applications, marketing messages from businesses with discount codes, and job alerts, among other things.

But the data also contained sensitive text messages, such as two-factor codes and other security messages, which may have allowed anyone viewing the data to gain access to a person’s online accounts. Many of the messages we reviewed contained codes to access online medical services to obtain, and password reset and login codes for sites including Facebook and Google accounts.

The data also contained usernames and passwords of TrueDialog’s customers, which if used could have been used to access and impersonate their accounts.

 

[Kara Spengler]

This is stupid from a security perspective but sms is not a secure protocol in the first place.

 

[Brenda Archer]

And I'll be back to telling my doctors to call me.

 

[Kara Spengler]

BTW, those two factor authentication codes would not do you much good anyway. You already would have a compromised password. Then the code itself is usually only valid for a short period of time.

 

[Sean Gorham]

I really wish companies would stop using SMS for two-factor authentication. IT. IS. NOT. SECURE. THAT WAY. I swear, these people have never heard of man-in-the-middle attacks...

 

[Kara Spengler]

I really wish companies would stop using SMS for two-factor authentication. IT. IS. NOT. SECURE. THAT WAY. I swear, these people have never heard of man-in-the-middle attacks...

Security is often a 'check the box' thing. I keep saying one of these days I will break down and buy a WiFi Pineapple just so I can run an open wifi network that is 1 page telling people that opening an unknown unprotected wifi connection is fucking idiotic!

 

[Essence Lumin]

Security is often a 'check the box' thing. I keep saying one of these days I will break down and buy a WiFi Pineapple just so I can run an open wifi network that is 1 page telling people that opening an unknown unprotected wifi connection is fucking idiotic!

There are tradeoffs.
1. If my traffic can be viewed I don't care much if they see this post, well maybe a little.
2. This post is being created over https so good luck viewing it. I suppose if they somehow forged the server certificate it could be done.
3. I deal with two banks. The big national one lets me use lastpass autofills on my phone. The small local one does not. So I have to resort to a relatively short typeable password with them which is bad for my security.

 

[Sean Gorham]

1. If my traffic can be viewed I don't care much if they see this post, well maybe a little.
2. This post is being created over https so good luck viewing it. I suppose if they somehow forged the server certificate it could be done.
3. I deal with two banks. The big national one lets me use lastpass autofills on my phone. The small local one does not. So I have to resort to a relatively short typeable password with them which is bad for my security.

1. Securing only the important traffic puts up a red flag to anyone (or whatever computer) might be monitoring it. If all your traffic is secured they have to figure out what's what. More work for them. You (the general you here) wouldn't send letters without an envelope, would you? Of course not - you always use them.

2. HTTPS is good and necessary, but not perfect, and not sufficient by itself. Defense in depth (secured wifi, a VPN, etc.) in addition to HTTPS is never a bad idea.

3. Perhaps try a different password manager? The only one I'm intimately familiar with is 1Password (a paid app) but it's never had trouble filling in passwords on any device, on any site, ever. You should (almost) never have to type in a password by hand these days. Worst case, you should be able to cut-and-paste the password into the correct field. Then hopefully the password manager will clear out the clipboard for you.

 

[Essence Lumin]

1. Securing only the important traffic puts up a red flag to anyone (or whatever computer) might be monitoring it. If all your traffic is secured they have to figure out what's what. More work for them. You (the general you here) wouldn't send letters without an envelope, would you? Of course not - you always use them.

If I was using an insecure site for my web access it would be someplace like a coffee shop where I would only be there a short time anyway. As for envelopes, I don't have a problem with postcards. I haven't mailed anything in around a year it seems.

2. HTTPS is good and necessary, but not perfect, and not sufficient by itself. Defense in depth (secured wifi, a VPN, etc.) in addition to HTTPS is never a bad idea.

It's mainly a bad idea when it is more trouble to do than it is worth. Paying for a vpn to post this would be an example.

3. Perhaps try a different password manager? The only one I'm intimately familiar with is 1Password (a paid app) but it's never had trouble filling in passwords on any device, on any site, ever. You should (almost) never have to type in a password by hand these days. Worst case, you should be able to cut-and-paste the password into the correct field. Then hopefully the password manager will clear out the clipboard for you.

You would think. It seems the bank app actively looks for stuff that is pasted. Maybe it is rejecting text in the password field that is pasted within 1/10 of a second. It's pretty darned stupid but their is no other bank that fits my needs here. I mostly just use their website on a pc that doesn't have that problem. The problem is just on a phone.

 

[Kara Spengler]

1. Securing only the important traffic puts up a red flag to anyone (or whatever computer) might be monitoring it. If all your traffic is secured they have to figure out what's what. More work for them. You (the general you here) wouldn't send letters without an envelope, would you? Of course not - you always use them.

2. HTTPS is good and necessary, but not perfect, and not sufficient by itself. Defense in depth (secured wifi, a VPN, etc.) in addition to HTTPS is never a bad idea.

3. Perhaps try a different password manager? The only one I'm intimately familiar with is 1Password (a paid app) but it's never had trouble filling in passwords on any device, on any site, ever. You should (almost) never have to type in a password by hand these days. Worst case, you should be able to cut-and-paste the password into the correct field. Then hopefully the password manager will clear out the clipboard for you.

Right, how much good a VPN does is debatable but at the absolute worst case with a truly evil VPN it just means your logs are mixed in with millions of other people's somewhere else. With a paid VPN with good ratings that is probably not going to happen though. Think of it like putting a lock on your door. Sure, people can pick it but most will not know how.

I use 1password too. With some browsers it is automatic (well, after I log in). At the worst case it is copy/paste.