Sébastien Kaul, a security researcher based in Berlin, has discovered a poorly secured database owned by communication firm Vovox that contained left names, phone numbers, tens of millions of SMS messages, temporary passwords, two-factor codes, shipping alerts, and other information belonging to customers of companies including Microsoft, Amazon, and Google.
It has been estimated that the exposed archive included at least 26 million text messages year-to-date.
“Although Kaul found the exposed server on Shodan, a search engine for publicly available devices and databases, it was also attached to one of Voxox’s own subdomains.” reported Techcrunch.
“Worse, the database — running on Amazon’s Elasticsearch — was configured with a Kibana front-end, making the data within easily readable, browsable and searchable for names, cell numbers and the contents of the text messages themselves.”
Vovox promptly took down the database after TechCrunch informed the company with an inquiry.
Anyone that accessed to the database while it was exposed online could have obtained two-factor codes sent by users to access their accounts potentially exposing them to account take over.
Below TechCrunch’s findings from a cursory review of the data:
Kevin Hertz, Voxox’s co-founder and chief technology officer, wrote in an email that the company is “looking into the issue and following standard data breach policy at the moment,” and that the company is “evaluating impact.”
(Security Affairs – Voxox, data leak)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.