More than 26 million text messages may have been breached as a result of an unsecured database operated by telecommunications company Vovox. Cybersecurity researcher Sebastien Kaul discovered that the unsecured database was not even password protected, and information contained within those messages include passwords in plain text, two-factor authentication codes, account security codes, tracking information for package shipments, account reset codes, and even medical appointment reminders. Notably, these messages include communications from banks, medical institutions and hospitals, Yahoo, Google, Microsoft, and Huawei.
When a developer sends a two-factor authentication code or when a user requests a login link via text messages, “it’s firms like Voxox that act as a gateway and converting those codes into text messages, to be passed on to the cell networks for delivery to the user’s phone,” TechCrunch noted of Vovox’s role in maintaining an unsecured database of SMS messages. SMS, which stands for short message service, is another name for text messages sent over a carrier’s network.
Vovox has since pulled the database, and at this time it’s unclear if any information contained within the database had been accessed by a malicious actor. In addition to having information about the recipient’s mobile number, the database potentially offered any hacker near real-time access to password reset links and two-factor authentication codes. This places many accounts at risk. Vovox cofounder and CTO Kevin Hertz told TechCrunch in an email that the company is investigating the breach and that it is also “evaluating impact.”
According to Kaul, the database contained records with detailed information about the message. “Each record was meticulously tagged and detailed, including the recipient’s cell phone number, the message, the Voxox customer who sent the message and the shortcode they used,” TechCrunch said.
Although when used with login credentials, SMS verification offers more protection than a merely using a username and password, more recently security experts have issued warnings about the vulnerability of SMS systems. Primarily, researchers have warned that SMS messages could be intercepted, and this latest breach is a prime example of that. As a result, experts say that utilizing authentication apps or hardware-based USB security keys, like Google’s Titan keys, are safer options when it comes to multi-factor authentication.
