After a security breach, millions of text messages have been exposed from the database of tech company Voxox. These messages included links to reset passwords, shipping notifications, and two-factor authentication codes. These were all exposed on the company’s server.
Even more worryingly, it has also been found that the server wasn’t password protected. This means that anyone with the skills and knowledge to find the information could do so.
Voxox acts as an intermediary service for online retailers like Amazon. It converts shipping and two-factor authentication codes into text messages. This information can then be sent to the customers mobile phone in text format.
Included in the messages were several partners of Booking.com, who were sent their two-factor codes to log into an extranet corporate network. In addition to this, there were a number of small to medium-sized hospitals who had sent reminders to patients regarding appointments and billings.
The records in question included various pieces of personal information. This includes the recipients mobile phone number, the customer who sent the message, the message itself, and the shortcode that was used. The message itself, however, was only available to view for a very small amount of time.
Following an enquiry by TechCrunch, security researcher Sébastien Kaul found that over 26 million text messages could be found on the database. But, it has been suggested that, according to the number of messages that are processed per minute on the platform, the actual figures could be even higher. The database was then taken offline by Voxox.
Dylan Katz, a security researcher, said in a TechCrunch interview: “My real concern here is the potential that this has already been abused. This is different from most breaches, due to the fact the data is temporary, so once it’s offline any data stolen isn’t very useful.”
In response to this, Kevin Hertz, Voxox’s co-founder and chief technology officer, said that the company was “looking into the issue and following standard data breach policy at the moment” and that the company was “evaluating impact”.