Private data including tens of millions of SMS text messages linked to communication company TrueDialog have been found exposed online putting data related to millions of Americans at risk.

Found and publicized today by security researchers at vpnMentor, the breach involved an unsecured Oracle Marketing Cloud database exposed on Microsoft Azure. The 604 gigabytes of data in the database included nearly 1 billion entries exposing the company itself, its client base and the customers of those clients.

Included in the database were millions of email addresses, usernames, cleartext passwords and base65 encoded passwords, the latter being easy to decrypt. The tens of millions of SMS messages included full names of recipients, TrueDialog account holders and users, the content of messages, email addresses, phone numbers, data and times the messages were sent and status indicators.

TrueDialog provides services to U.S. companies, colleges and universities to send bulk text messages but the data gathered didn’t stop there. Included in the text messages were two-factor codes and other security measures which may have allowed anyone viewing the data to gain access to a person’s online accounts, according to TechCrunch.

The database has since been taken offline, but the risk that it was discovered and accessed before it was taken down opens the door to all sorts of nefarious activity. Account takeovers are noted by the researchers as being the most notable use of the data but it could also be used for identity theft and fraud, phishing scams, blackmail and in the case of clients, corporate espionage.

TrueDialog itself is yet to respond to the report. It’s presumed that the company has failed to have taken basic security measures to protect the database, a mistake seen many times before.

The fact that the data was externally hosted has been raised as a potential factor. “Companies today are outsourcing more and more business processes to third parties, which is why we’ve seen such a dramatic increase in breaches like this,” Kelly White, chief executive officer of cybersecurity firm RiskRecon Inc., told SiliconANGLE.

“Every service provider in your third-party ecosystem is another potential source of data exposure,” White explained. “It’s a tradeoff that most enterprises make a thousand times in order to more effectively run their business. But putting blind trust into a service provider and assuming they’ll keep sensitive data safe is a recipe for disaster.”

That’s why it’s so important for companies to extend their ability to safeguard data across the networks of outside parties, he added. “That means asking questions like whether service provers have taken the necessary precautions to keep sensitive data under lock and key,” he said. “That includes using cloud storage that isn’t internet-facing in order to reduce unnecessary exposure.”

Photo: Pexels