Security researchers recently found an unsecured database housing a massive collection of text messages containing private information. Nearly 1 billion entries belonging to over 100 million U.S. citizens were found in the database, stored in plain text.
A majority of the messages were sent by businesses to customers, and “hundreds of thousands of entries” included details about users (including full names, phone numbers, addresses, emails, and more), according to cybersecurity experts Noam Rotem and Ran Locar.
In a blog post, the researchers said "tens of millions" of text messages were left "completely unsecured and unencrypted” for an extended period of time. They believe text messaging firm TrueDialog -- an SMS provider for businesses and higher education providers -- is responsible for the leak.
Database now offline
TrueDialog operates a service that enables businesses to text marketing materials and alerts to their clients in bulk. Recipients are even able to text back. The firm boasts five billion subscribers worldwide.
"We contacted the company. We disclosed our findings and offered our expertise in helping them close the data leak and ensure nobody was exposed to risk," the researchers said. "The database has since been closed, but TrueDialog never replied to us."
Although the database was pulled offline on November 29, Rotem and Locar say the risk potential of the leak may linger for hundreds of millions of users.
“The available information can be sold to both marketers and spammers," the researchers said.
Since the database is now offline, there’s no way to tell who was impacted by the leak. To protect against the possibility of online exposure, security researchers continue to recommend that consumers set up two-factor authentication and frequently change their passwords on Google and Facebook accounts.
TechCrunch notes that the leak is “another example of why SMS text messages may be convenient but is not a secure way to communicate — particularly for sensitive data, like sending two-factor codes.”