Security researchers recently discovered an unsecured cloud database owned by American communications company TrueDialog and hosted on Microsoft Azure that contained millions of email addresses, usernames, cleartext passwords, and base64 encoded passwords as well as detailed personal information of tens of millions of American citizens.
The unsecured cloud database was discovered by security researchers Noam Rotem and Ran Locar at vpnMentor on 26 November and access to the database was closed by TrueDialog on 29 November after being advised about the massive exposure of customer and corporate data records.
When analysing the unprotected cloud database running on the Oracle Marketing Cloud in the USA and hosted by Microsoft Azure, the researchers found that it contained up to 604 GB of data that included data records about the company itself, its client base, and the customers of its clients.
Over one billion data records stored in the database included millions of email addresses, usernames, cleartext passwords, and base64 encoded passwords as well as full names, email addresses, phone numbers, and TrueDialog account details of tens of millions of American citizens.
TrueDialog exposed millions to cyber threats by not encrypting sensitive customer data
Considering that TrueDialog offers SMS texting solutions such as mass texting, marketing SMS, and urgent SMS alerts to small and large businesses and works with over 990 cell phone operators around the world, the company's database also contained tens of millions of SMS text messages as well as additional data such as dates and times messages were sent, status indicators on messages sent, like Read receipts, replies, etc., and content of messages.
The researchers at vpnMentor were able to confirm that the database indeed belonged to TrueDialog as the company's host ID “api.truedialog.com” was found throughout the unsecured database. Even though TrueDialog did not respond to their alerts, access to the database was closed within 72 hours after the alert was sounded.
Not only did TrueDialog fail to secure the online database with a password, the company also failed to encrypt millions of user passwords and also used an unencrypted message system, thereby making it easy for corporate spies to read confidential messages that were sent by a rival company.
Considering that the database also contained logs of internal system errors, hackers could use the information to exploit vulnerabilities in the company's IT system and also use clear text passwords to log in to TrueDialog accounts of tens of millions of U.S. citizens.
"A scammer could use the private details that were exposed in the messages, as well as the full names, emails and phone numbers exposed in it for a variety of fraudulent schemes. The vast amount of contact details itself is a huge asset for spammers. Moreover, exposed personal details can prove very valuable in order to target individuals to respond to spam and phishing.
"With all the message content exposed in cleartext, scammers will have plenty of ammunition for blackmail. Scammers can use any of the personal information that is sent by either customer, or students in the Education programs, and use it to extort them," the researchers said.
Cloud databases containing information on billions remain unprotected
As recently as last week, security researchers Bob Diachenko and Vinny Troia also discovered an unsecured cloud database containing personal information of up to 1.2 billion people, including names, email addresses, phone numbers, and social media profile information.
The researchers found that the unsecured Elasticsearch database contained up to 4 terabytes of data and 4 billion user accounts belonging to over a billion people from all across the world and information stored in it was obtained from two different data enrichment companies- namely People Data Labs and Oxydata whose job is to collate hundreds of pieces of data points of information to a person's profile before selling such data to buyers.
"Regardless of who set it up. the fact that its insecure and publicly accessible means that anyone could have taken the data for any purpose. While it is stated that sensitive data such as passwords weren't included, the sheer volume of aggregated data makes the whole thing sensitive as a whole.
"There is no easy fix to these kinds of issues, and we will likely continue to see such leaks. We need vendors, cloud providers, and system administrators to adopt a more security-conscious mindset so that across the digital realm a secure culture propagates. Making it difficult for any one person to harvest data, aggregate in such large quantities, and leave publicly exposed," said Javvad Malik, security awareness advocate at KnowBe4.