Millions of SMS have been found in open access on the internet without password or encryption. This database is managed by Texas-based company TrueDialog, which specializes in sending bulk SMS on behalf of companies and universities. This includes online access codes to medical services and passwords to access social networks.

The database is run by TrueDialog, a business SMS provider for businesses and higher education providers, which lets companies, colleges, and universities send bulk text messages to their customers and students.

Tens millions of SMS have been found in open access on the internet without password and without any encryption. This leak was spotted by two Israeli researchers Noam Rotem and Ran Locar, assisted by the VPNMentor website, on December 1, 2019. Since then, access has been cut off.

This database is managed by the Texas communication company TrueDialog, which specializes in mass mailing of SMS to companies and universities. The service also allows recipients to respond to these requests and thus engage in a dialogue with the issuing organization.

Thus, the exposed database had more than one billion entries containing sensitive data such as access codes to online medical services, passwords and use to access social networks. This information could especially be used by scammers to send fake message to the owners. The researchers also revealed that the technical characteristics of the database allowed everyone to freely read whole chains of conversations.


EXAMPLE OF EXPOSED DATA

As mentioned in VPNMentor website, it’s difficult to put the size of this data leak into context. Tens of millions of people were potentially exposed in a number of ways. It’s rare for one database to contain such a huge volume of information that’s also incredibly varied.

Millions of SMS Leaked Through TrueDialog Server

The database contained entries that were related to many aspects of TrueDialog’s business model. The company itself was exposed, along with its client base, and the customers of those clients. The information contained in this database could have been used in myriad ways against the people whose information was exposed.

Millions of SMS Leaked Through TrueDialog Server


TRUEDIALOG ACCOUNT LOGINS

Millions of email addresses, usernames, cleartext passwords, and base64 encoded passwords (which are easy to decrypt) were easily accessible within the database. At the international level, TrueDialog has 5 billion subscribers but it seems that the leak concerns only US citizens. Techcrunch tried to contact the general manager of the company John Wright but he refused to answer their questions.

At present, it is unclear whether or not TrueDialog has informed its customers of this flaw or whether it plans to contact the US regulatory authorities to inform them of this situation. This is not the first time that a company is accused of negligence on the data protection of its customers. On November 20, 2019, Gekko Group a subsidiary of the AccorHotels group was confronted with a leak of personal data including but not only the last name, first name, email address, postal address, bank details ...