Massive security breach exposes 26m SMS messages
A massive data breach has exposed tens of millions of SMS text messages.
The breach involved a database of 26 million text messages, some of which included private customer data like password reset information, shipping notifications and two-factor authentication codes,TechCrunch reported.
The database was operated by Voxox, a California-based communications firm.
Making matters worse, the database wasn’t even password protected, according to Sebastian Kaul, a Berlinbased security researcher who discovered the vulnerability.
million texts
How were 26 exposed?
A security researcher discovered a database of 26 million SMS messages.
The database is operated by Voxox, a California-based communications firm.
The firm acts as a middle man between app developers and users’ phones.
Many of the messages included plain-text passwords, account reset links and twofactor authentication codes.
Each message in the database was tagged with the recipient’s phone number, included the message and noted which Voxox customer had sent the message.
The database has since been taken offline.
Kaul stumbled upon the database and found that not only was it without a password, but was searchable for both names and phone numbers.
Voxox acts as a middle man between app developers and users’ phones.
For example, when someone requests to change their password, the app may send an account reset link or code to the person’s phone.
Voxox converts those codes into text messages that are then delivered to the user’s phone.
The database also included text messages sent to customers from companies like Google, Amazon and Microsoft.
Worryingly, the database was still live even after the vulnerability was discovered, which means that savvy hackers could monitor any password reset requests or two-factor authentication codes and use that to get into a user’s account, if they had all the right credentials.
Many two-factor authentication and reset codes are only usable for a short period of time, but if intercepted at the right time, hackers could have used them.
TechCrunch later contacted Voxox about the issue and the firm pulled the database offline.
The firm added that it’s ‘looking into the issue and following standard data breach policy at the moment,’ as well as ‘evaluating the impact.’
TechCrunch also observed what kinds of data were passing through Voxox’s database in real time.
Each record in the database was tagged with the recipient’s phone number, included the message and noted which Voxox customer had sent the message.
How can password? I choose a secure
According to internet security provider Norton, ‘the shorter and less complex your password is, the quicker it can be for the program to come up with the correct combination of characters.
The longer and more complex your password is, the less likely the attacker will use the brute force method, because of the lengthy amount of time it will take for the program to figure it out.
‘Instead, they’ll use a method
Use a combination of numbers, symbols, uppercase and lowercase letters Ensure that the password is at least eight characters long
Use abbreviated phrases passwords
Change regularly
Log out of websites and devices after you have finished using them
DO NOT:
called a dictionary attack, where the program will cycle through a predefined list of common words that are used in passwords.’
Here are some steps to follow when creating a new password:
DO:
your for passwords
Choose a commonly used password like ‘123456’, ‘password’, ‘qwerty’ or ‘111111’
Use a solitary word. Hackers can use dictionarybased systems to crack passwords
Use a derivative of your name, family member’s name, pet’s name, phone number, address or birthday
Write your password down, share it or let anyone else use your login details
Answer ‘yes’ when asked to save your password to a computer browser
Among the many texts, one included a password to a Badoo dating app account, while several messages included password reset codes to Microsoft and Huawei accounts.
The breach highlights the vulnerabilities of using textbased two-factor authentication, or sending account reset links over SMS.
Many security experts recommend app-based twofactor authentication, which tends to be safer than SMSbased verification.
Another option is to use an authentication app like 1Password, which has a built-in two-factor authentication code generator.