Businesses and educational institutions around the world that use the TrueDialog SMS bulk texting service are scrambling to assess the potential damage to their communications after news that security researchers discovered a huge database of unprotected messages from the Texas-based provider.
Researchers at vpnMonitor, a news site that reviews VPN solutions, said Sunday that as part of an ongoing project to discover unprotected databases on the internet they found one belonging to TrueDialog, a cloud-based provider of mass texting solutions used by companies and colleges. Not only were customer messages open, so were texts of TrueDialog employees.
TrueDialog clients use the company’s services to send bulk SMS messages for marketing blurbs, customer support texting, employee and student notifications, and two-way texting.
According to the researchers, TrueDialog works with over 990 cell phone operators and reaches more than 5 billion subscribers around the world.
After being contacted on Nov. 28 — two days it was discovered — the database was closed by the company. Still, it isn’t known how long the 604 GB of data with millions of messages — which were hosted by Microsoft Azure and ran on the Oracle Marketing Cloud in the U.S. — was open and if anyone copied the data. Nor is it clear why the database wasn’t encrypted.
Researchers said the texts included private messages as well as millions of account usernames, unencrypted passwords, personal information such as phone numbers and email addresses and TrueDialoge account details. Unless passwords are changed a hacker with the database could log into an account, change a user’s password and send damaging messages. Just as important, a person with the database could discover company secrets valuable to a competitor — or for ransom. And, of course, email addresses can be used for phishing.
“We also found in the database logs of internal system errors as well as many HTTP requests and responses, which means that whoever found it could see the site’s traffic,” researchers said. “This could by itself had exposed vulnerabilities.”
Unlike encrypted apps like Apple Messages, Signal, WhatsApp, and Telegram, standard SMS messages are unencrypted.
The researchers suggest the discovery is evidence of poor access control as well as a failure to encrypt a vital corporate asset.