Humongous SMS Data Leak Exposes A Vast Number Of Americans

A staggering number of Americans have been left vulnerable after being unintentionally caught in a data leak because Business SMS Provider TrueDialog left a huge database exposed online.

Tens of millions pieces of data was leaked to potential fraudsters to cause unimaginable damage. The team at vpnMentor revealed the Oracle Marketing Cloud database hosted on Microsoft Azure in the US.

It is claimed that the database had been left visible for all to see, exposing 604GB – or one billion entries of sensitive, personal information.

A vpnMentor claimed:

 “It’s difficult to put the size of this data leak into context. Tens of millions of people were potentially exposed in a number of ways. It’s rare for one database to contain such a huge volume of information that’s also incredibly varied.”

“The database contained entries that were related to many aspects of TrueDialog’s business model. The company itself was exposed, along with its client base, and the customers of those clients.”

TrueDialog’s clientele consists of mainly businesses and higher education institutions, who use their services to send out bulk marketing missives and warning alerts to their customers/students.

The sensitive information which has been leaked includes full names, email addresses, phone numbers of SMS recipients, plus the information contained in the messages itself. Furthermore, clear-text and easily decrytable base-64-encoded account logins for TrueDialog clients.

Theoretically, the scale of the leak meant that it could have been used in account takeover (ATO) attacks targeting their business clients. Also, fraudsters could have used identity fraud/phishing methods or maybe blackmail against SMS recipients.

Once the researchers contacted TrueDialog, the issue was fixed the following day but the SMS giant did not comment on the data leak.

Kelly White, CEO of RiskRecon, argued that every service provider is a potential source of data exposure today. He said: 

“It’s a trade-off that most enterprises make a thousand times in order to more effectively run their business but putting blind trust into a service provider and assuming they’ll keep sensitive data safe is a recipe for disaster.”

He continued:

“That’s why it’s so important for companies to extend their ability to safeguard data across the networks of any third or fourth party with whom they interact, which means asking questions like whether service providers have taken the necessary precautions to keep sensitive data under lock and key. That includes using cloud storage that isn’t internet-facing in order to reduce unnecessary exposure.”

Fraud is an ever-increasing blight on society, and one that can have a detrimental impact on the lives and businesses of those it touches.

The National Centre for Cyber Security confirmed the legal industry is the main target for fraudsters which means legal service providers are exposed to cyber criminals everyday – who are continually finding newer and bolder ways to attack firms and their clients.

Crowe, KYND and University of Portsmouth’s Centre for Counter Fraud Studies commenced research in spring this year to reveal how vulnerable the legal sector is to cyber crime.

The results were shocking, as the majority of 200 leading law firms are completely unprepared and susceptible to cyber attacks, according to a 2019 report on fraud and cyber crime vulnerabilities in the legal sector.

Solicitors and law firms continually face terrorisation from cyber criminals due to the sensitive data, large sums of money and important information that they hold – it is therefore imperative that businesses are taking it seriously by implementing robust systems and processes to mitigate the risk of fraud.