Tens of millions of SMS text messages exposed by unsecured database


The number of “global subscribers” of TrueDialog exposed to attack.


Security researchers have discovered a database exposing the sensitive information of “tens of millions” people in the U.S., including email addresses, passwords, and full names. The database belongs to communications company TrueDialog and left millions of private text messages unsecured online.

How bad is it? — Austin-based TrueDialog works with small businesses and universities in the U.S. to provide what it describes as “enterprise-grade SMS texting.”

According to the vpnMentor team, which uncovered the leak on November 26, the company boasts upwards of 5 billion global subscribers and has partnerships with over 990 cell phone operators. In other words, its scope is pretty massive.

The vpnMentor researchers led by Noam Rotem and Ran Locar found tens of millions of SMS messages on the database, from which they were able to view full names, phone numbers, and account details, along with other sensitive information. The database also exposed logs of internal errors, sales leads, and traffic reports, putting TrueDialog itself at risk right alongside its customers. All credentials were stored in cleartext.

This trove of unprotected information leaves the door open to all sorts of scams, not limited to identity theft, phishing, and blackmail.

So, what now? — After notifying TrueDialog of the vulnerability, the company closed the database within a matter of days, though it never responded directly to vpnMentor’s inquiry. It’s unclear how long the database was left open before this. While it might all be locked up now, there’s no telling what was done with the data in the runup.

“The impact of this data leak can have a lasting impression for tens of millions of users,” the vpnMentor team notes. “The available information can be sold to both marketers and spammers.”

That data, the researchers warn earlier in the report, “could have been used in myriad ways against the people whose information was exposed.”