loader gif

Unprotected VOIPO database exposed millions of internal system records

Unprotected VOIPO database exposed millions of internal system records
  • An unsecured database belonging to VOIPO exposed call logs, SMS/MMS message records, and system credentials.
  • The database which was used for development purposes had been accidentally left online.

An unprotected database belonging to Californian voice over IP services provider VOIPO was left publicly available. Justin Pane, Director of Trust & Safety, Cloudfare found the unsecured database on January 8, 2019, via Shodan search engine. The database which was used for development purposes had been accidentally left online.

What was exposed?

The exposed database contained millions of VOIP call logs, SMS/MMS records, and internal system credentials including hostnames, usernames, passwords, and API keys.

  • The database contained nearly 6.7 million documents consisting of call logs, including partial original numbers, partial destination numbers, timestamps, and call duration details.
  • The database also contained almost 6 million SMS/MMS records dated back to 2015, including both timestamps and the content of messages.
  • Further, 2 million log documents consisting of internal system data such as hostnames, plaintext usernames, passwords, and API keys were in the database.
  • The open database also listed conferencing devices used for VOIP sessions, detailing device IP addresses, MAC addresses, timestamps, and user-agent values for devices.

However, Pane noted that the VOIP call logs were partially discarded before being loaded into the database, therefore, using this information for malicious activities would be difficult. Pane further stated that he did not see any Two-factor authentication values logged with the SMS/MMS records, however, there are possibilities for this data to have been leaked

What was the immediate action taken by VOIPO?

Pane reported VOIPO about the leaky database. Upon learning about the incident on January 8, 2019, the company immediately took the system offline within a few hours in order to secure the database.

The company confirmed that valid data has been contained in the database and said that the database was used for development purposes and had been inadvertently left online.

“The exposure of internal information, however, is more serious. This could have resulted in a complete compromise of any system which used the leaked credentials, giving attackers access to sensitive company information,” ZDNet noted.

loader gif