Last month, two security researchers, Noam Rotem and Ran Locar found an unprotected database managed by TrueDialog. The database exposed tens of millions of SMS text messages exchanged between businesses and their customers.
TrueDialog is a US-based SMS text service provider for enterprise businesses and higher education. Its cloud-based texting platform enables users to send both one-to-one as well as bulk messages to customers.
What data TrueDialog’s database exposed
Along with millions of sent and received text messages, this database included phone numbers, marketing messages from businesses with discount codes, job alerts, and more. Some of the two-way messages had a unique conversation code using which anyone would be able to read the entire thread of conversations.
What concerning is that there were also text messages with sensitive information. As per TechCrunch, the database included “two-factor codes and other security messages, which may have allowed anyone viewing the data to gain access to a person’s online accounts.” TechCrunch further shared that the database also included messages containing codes to access online medical services, password reset and login codes for sites including Facebook and Google, and usernames and passwords of TrueDialog’s customers.
TrueDialog took the database offline shortly after being contacted by TechCrunch. However, the company’s chief executive John Wright did not acknowledge the breach or gave any clarity on whether TrueDialog will be informing this to its customers.
This is another case of companies being negligent towards their customers’ data. In October this year, an Elasticsearch server, allegedly belonging to two data enrichment companies exposed the personal information of nearly 1.2 billion users. In another case, security researcher Oliver Hough discovered that printing company Vistaprint left an online database containing customer interactions unencrypted.
Check out the report by Noam Rotem and Ran Locar to know more about TrueDialog data leak in detail.