CyberWarfare / ExoWarfare

Insecure Microsoft Azure Database Exposes Millions of Private SMS Messages

Researchers discovered an unprotected TrueDialog database hosted by Microsoft Azure with diverse and business-related data from tens of millions of users.

Tens of millions of SMS messages have been found on an unprotected database, putting the private data of hundreds of millions of people in the United States at risk for theft or exposure and leaving a communications company open for potential intrusion, security researchers discovered.

Noam Rotem and Ran Locar from the research team of vpnMentor found the database, which they said belongs to TrueDialog, a U.S.-based communications company, according to a blog post. Based in Austin, Texas, TrueDialog provides bulk SMS services for small businesses, colleges and universities, which means that the majority of the messages were business-related, researchers said.

Moreover, the insecure database was linked to “many aspects” of TrueDialog’s business, potentially increasing unauthorized access to the data of millions of people as well as exposing an unusually diverse data set, they said.

“Hundreds of millions of people were potentially exposed in a number of ways,” according to the post. “It’s rare for one database to contain such a huge volume of information that’s also incredibly varied.”

Despite companies knowing the risks of leaving data unprotected online in this era of cloud-based storage, insecure databases are a persistent problem and remain one of the leading ways data breaches occur. These breaches not only leave customers and users of the companies who exposed the data at risk, but also leave the owners of the databases more susceptible to security threats as well.

Researchers discovered the exposed TrueDialog database on Nov. 26 and contacted TrueDialog two days later, on the 28th. At last look, the database—hosted by Microsoft Azure and on the Oracle Marketing Cloud–included 604 gigabytes of data, including nearly a billion entries that included “sensitive data,” according to researchers.

Types of data found unprotected included:

  • full names of message recipients,
  • TrueDialog account holders and TrueDialog users;
  • message content;
  • email addresses;
  • phone numbers of both recipients and account users;
  • dates and times that messages were sent;
  • and message status indicators.

The account details of TrueDialog account holders also were exposed in the messages, researchers said.

The scope of the leaky data has broad implications for TrueDialog, their users and the recipients of the messages, researchers said.

For users and message-recipients whose data was exposed, their personal details could be sold to marketers and spammers and used for purposes that range from annoying to criminal.

TrueDialog may get the brunt of the impact, however, researchers said. Not only does the unprotected data harm the company’s reputation and allow competitors to capitalize on this, but it also can give competitors an edge over them by providing insight into TrueDialog’s business model and practices, according to the post.

Bad actors also have an opportunity to find and exploit vulnerabilities within TrueDialog’s system by accessing the logs of internal system errors included in the exposed data, researchers added.