Vovox, a San Diego-based communications company, has exposed around 26 million text messages including other crucial data belonging to its customers in a recent data leak incident. The leak occurred due to an unprotected database belonging to the firm.
The communications giant reportedly did not protect its server with a password, as a result of which personal data of customers working in companies such as Microsoft, Amazon and Google was leaked.
The compromised information includes phone numbers, messages, password reset links and codes, two-factor verification codes, temporary passwords, shipping notifications and other details of customers.
The leaky database was discovered on Shodan by Sebastian Kaul, a Berlin-based security researcher. Vovox has promptly taken down the vulnerable database after being contacted by Techcrunch, an American-based online news firm.
“Although Kaul found the exposed server on Shodan, a search engine for publicly available devices and databases, it was also attached to one of Vovox’s own subdomains. Worse, the database — running on Amazon’s Elasticsearch — was configured with a Kibana front-end, making the data within easily readable, browsable and searchable for names, cell numbers and the contents of the text messages themselves,” Techcrunch reported.
Among the other findings, Techcrunch reported that exposed data includes
-A password sent in a plaintext to a Los Angeles phone number by the dating app Badoo;
-Six-digit two-factor codes of several Booking.com partners;
-Siix-digit security codes sent by Fidelity investments to a particular area in Chicago;
-Two-factor verification codes for Google accounts of users residing in Latin America;
-A shipping notification including a tracking link and a UPS tracking number sent by Amazon; and
-Messages containing Microsoft’s account password reset codes and Huawei ID verification codes.
Meanwhile, Kevin Hertz, Voxox’s co-founder and Chief Technology Officer has said in an email that the company is looking into the issue and following standard data breach policy at the moment.