Data leak leaves tens of millions of text messages exposed
The messages, which included password reset links, two-factor authentication codes and shipping notifications, were left exposed on a server
Your support helps us to tell the story
This election is still a dead heat, according to most polls. In a fight with such wafer-thin margins, we need reporters on the ground talking to the people Trump and Harris are courting. Your support allows us to keep sending journalists to the story.
The Independent is trusted by 27 million Americans from across the entire political spectrum every month. Unlike many other quality news outlets, we choose not to lock you out of our reporting and analysis with paywalls. But quality journalism must still be paid for.
Help us keep bring these critical stories to light. Your support makes all the difference.
Tens of millions of text messages have been exposed on a company’s database by a security lapse.
The messages, which included password reset links, two-factor authentication codes and shipping notifications, were exposed on a server belonging to Voxox.
Alarmingly, the San Diego-based communications company’s server was not password protected, meaning anyone who knew where to find it could easily snoop.
Berlin-based security researcher Sébastien Kaul found the database had just over 26 million text messages when it was taken offline by Voxox following an inquiry by TechCrunch.
But the volume of messages processed through the platform per minute suggests this figure may be higher.
Each record included the recipient’s mobile phone number, the message, the Voxox customer who sent the message, and the shortcode they used – although the codes themselves would only have been usable for a very short amount of time.
Voxox acts as a gateway for companies such as Amazon by converting shipping codes or two-factor authentication codes into text messages to be passed on to customers’ mobile phones.
And apps such as Viber ad HQ Trivia use the technology to verify a user’s phone number or send a two-factor authentication code.
Among its findings, TechCrunch discovered several Booking.com partners were sent their six-digit two-factor codes to log in to the company’s extranet corporate network.
It also found several small to mid-size hospitals and medical facilities sent reminders to patients about their upcoming appointments, and in some cases, billing inquiries; and a password was sent in plaintext to a Los Angeles phone number by dating app Badoo.
Dylan Katz, a security researcher, told TechCrunch: “My real concern here is the potential that this has already been abused.
“This is different from most breaches, due to the fact the data is temporary, so once it’s offline any data stolen isn’t very useful.”
Kevin Hertz, Voxox’s co-founder and chief technology officer, told TechCrunch in an email that the company was “looking into the issue and following standard data breach policy at the moment” and that the company was “evaluating impact”.
Subscribe to Independent Premium to bookmark this article
Want to bookmark your favourite articles and stories to read or reference later? Start your Independent Premium subscription today.
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies
Comments