The IT security researchers at vpnMentor have discovered a trove of insecure data hosting on a company based in the United States. Named TrueDialog, the firm provides a range of texting solutions to businesses in the USA and as such had a database containing confidential data of its customers.
The data was identified to be belonging to the firm as their host ID which is “api.truedialog.com” was found on several occasions while observing the data. Hosted on Microsoft Azure & running on Oracle Marketing Cloud; it included millions of text messages, account usernames & passwords, phone numbers of both recipients & users, status indicators of messages sent like “read” and certain other account details.
To further estimate the scale of the data, it is to be noted that the size of it was found to be 604 GB, a substantial number to say the least. However, the exact amount of entries was not stated due to how the search functionality of the database works.
Additionally, “technical logs” were also found revealing the database structure. vpnMentor elaborates on this by stating how “there were hundreds of thousands of entries that documented the communication between different phone numbers linked to TrueDialogs marketing platform, Eloqua by Oracle.”
If this wasn’t enough, error logs were also being displayed including HTTP requests giving anyone a free license to inspect the site’s traffic. Then 2 days later on 28 November, vpnMentor contacted the company and the very next day, the issue had been fixed, a timely response indeed.
As ethical hackers, we’re obliged to inform a company when we discover flaws in their online security. This is especially true when the companies data breach contains such private information. However, these ethics also mean we carry a responsibility to the public. TrueDialog users must be aware of a data breach that impacts them also, said vpnMentor in its blog post.
Yet, this doesn’t take away the potential impact that this breach may have. Data in such large numbers is an excellent target for both spammers who may want to utilize them in marketing campaigns and attackers who may experiment with social engineering in different ways for malicious purposes.
Furthermore, although the specifics vary from breach to breach, unless you’re Facebook, you would have threatening competitors who could gain clues on your operational strategies from such incidents and also use such bad publicity against you.
Hence, it is advised that all companies at least take basic security measures such as keeping all of their databases with access control mechanisms along with implementing encryption.
On the other hand, users should ask not only the largest of companies to be more transparent about their security practices but practically any firm that they trust their data with.