Stay up to date with notifications from The Independent

Notifications can be managed in browser preferences.

Data leak leaves tens of millions of text messages exposed

The messages, which included password reset links, two-factor authentication codes and shipping notifications, were left exposed on a server

Chiara Giordano
Saturday 17 November 2018 12:09 EST
Comments
(Getty Images/iStockphoto)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Tens of millions of text messages have been exposed on a company’s database by a security lapse.

The messages, which included password reset links, two-factor authentication codes and shipping notifications, were exposed on a server belonging to Voxox.

Alarmingly, the San Diego-based communications company’s server was not password protected, meaning anyone who knew where to find it could easily snoop.

Berlin-based security researcher Sébastien Kaul found the database had just over 26 million text messages when it was taken offline by Voxox following an inquiry by TechCrunch.

But the volume of messages processed through the platform per minute suggests this figure may be higher.

Each record included the recipient’s mobile phone number, the message, the Voxox customer who sent the message, and the shortcode they used – although the codes themselves would only have been usable for a very short amount of time.

Voxox acts as a gateway for companies such as Amazon by converting shipping codes or two-factor authentication codes into text messages to be passed on to customers’ mobile phones.

And apps such as Viber ad HQ Trivia use the technology to verify a user’s phone number or send a two-factor authentication code.

Among its findings, TechCrunch discovered several Booking.com partners were sent their six-digit two-factor codes to log in to the company’s extranet corporate network.

It also found several small to mid-size hospitals and medical facilities sent reminders to patients about their upcoming appointments, and in some cases, billing inquiries; and a password was sent in plaintext to a Los Angeles phone number by dating app Badoo.

Dylan Katz, a security researcher, told TechCrunch: “My real concern here is the potential that this has already been abused.

“This is different from most breaches, due to the fact the data is temporary, so once it’s offline any data stolen isn’t very useful.”

Kevin Hertz, Voxox’s co-founder and chief technology officer, told TechCrunch in an email that the company was “looking into the issue and following standard data breach policy at the moment” and that the company was “evaluating impact”.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in