
Millions of SMS messages exposed in database security lapse - known
https://techcrunch.com/2019/12/01/millions-sms-messages-exposed/
======
breakingcups
> TechCrunch contacted TrueDialog about the exposure, which promptly pulled
> the database offline. Despite reaching out several times, TrueDialog’s chief
> executive John Wright would not acknowledge the breach nor return several
> requests for comment. Wright also did not answer any of our questions —
> including whether the company would inform customers of the security lapse
> and if he plans to inform regulators, such as state attorneys general, per
> state data breach notification laws.

Though it doesn't mention a timeline, this does seem like a way to pour
gasoline onto a PR dumpster fire.

------
threatofrain
> But the data also contained sensitive text messages, such as two-factor
> codes and other security messages, which may have allowed anyone viewing the
> data to gain access to a person’s online accounts. Many of the messages we
> reviewed contained codes to access online medical services to obtain, and
> password reset and login codes for sites including Facebook and Google
> accounts.

> The data also contained usernames and passwords of TrueDialog’s customers,
> which if used could have been used to access and impersonate their accounts.

~~~
retSava
Hence why 2FA tokens and reset links should have a short window of validity,
and why shallow information such as knowing account name, or address, or
mothers maiden name, should not be used for sensitive purposes.

~~~
threatofrain
This brings up some interesting technical questions: how long is too long and
what is a deep question for identity?

~~~
theshadowknows
One time I did a "forgot password" reset on an old email account. Apparently
young me thought it was a good idea to choose the 'pick your own question'
thing and the question I chose was "What?"

...to this day I still don't remember what the answer was.

~~~
dpeck
Depending on how young, there’s a decent chance the answer was some variation
of “chicken butt”

~~~
theshadowknows
Hah!

------
ga-vu
Actual source: [https://www.vpnmentor.com/blog/report-truedialog-
leak/](https://www.vpnmentor.com/blog/report-truedialog-leak/)

Saved you a click

------
haolez
From the original article, it seems to be ElasticSearch again. Why do so many
companies expose ES to the open internet?

~~~
tyingq
Terrible defaults, and stuff like this: [https://discuss.elastic.co/t/ransom-
attack-on-elasticsearch-...](https://discuss.elastic.co/t/ransom-attack-on-
elasticsearch-cluster/71310/17)

~~~
nullwarp
I will never understand why basic authentication in ES was locked behind a
X-Pack license. That's always seemed absolutely bonkers to me.

~~~
vageli
> I will never understand why basic authentication in ES was locked behind a
> X-Pack license. That's always seemed absolutely bonkers to me.

Security is an enterprise feature. Dealing with this now trying to enable SAML
in a few SaaS apps, for example.

~~~
tyingq
It's not just locked behind the X-Pack...if you choose a trial, it works.
Then, when the trial expires, poof...it's wide open. Surely there's a better
way to handle that.

~~~
neurostimulant
Wow is this true? Instead of disabling access or shut down the db server they
simply removed authentication and left the db wide open when trial expires?

~~~
tyingq
Was true in 2017. It has apparently been fixed since.

------
woadwarrior01
IMO, mining SMS messages for data is by definition going too far in terms of
intrusion into people's privacy.

On a related note, I came across a post on the machine learning subreddit[1]
recently, where the author claims to have a dataset of 33 million SMSs in
Mexican Spanish. I'm half suspecting the OP added the Mexican prefix to
prevent anyone from doubting that his dataset was collected in Spain (In which
case, GDPR applies). This was likely collected from an Android app which
surreptitiously collected with the "Telephony.SMS_RECEIVED" intent, and the
author half confirms it[2].

Regardless of the legality of doing so, reading people's private SMSs just
reeks of privacy violations. iOS in this specific case does the right thing by
not letting apps read incoming text messages (except for the limited case of
reading single-factor SMS login codes[3], which was introduced in iOS 12).

[1]:
[https://www.reddit.com/r/MachineLearning/comments/e0z7xs/dis...](https://www.reddit.com/r/MachineLearning/comments/e0z7xs/discussion_hyperparameters_for_word2vec_for_sms/)

[2]:
[https://www.reddit.com/r/MachineLearning/comments/e0z7xs/dis...](https://www.reddit.com/r/MachineLearning/comments/e0z7xs/discussion_hyperparameters_for_word2vec_for_sms/f8lfbpt)

[3]:
[https://developer.apple.com/documentation/uikit/uitextconten...](https://developer.apple.com/documentation/uikit/uitextcontenttypeonetimecode)

~~~
travem
> except for the limited case of reading single-factor SMS login codes

Is the app actually reading the code? I thought this was just a UI hint that
made it easier for the user to select the code from the suggestion area of the
keyboard

~~~
dlhavema
You don't code anything in your app to get/use this feature. If you click the
suggestion iOS fills in the passcode for the user.

------
Avery3R
Non-techcrunch link [https://www.vpnmentor.com/blog/report-truedialog-
leak/?=true...](https://www.vpnmentor.com/blog/report-truedialog-
leak/?=truedialog-exposed-data)

------
ryanmcdonough
I wonder if this is why I’ve been getting phone call spam from Switzerland &
Turkmenistan the past few days.

------
spamlord
Where can I download the database to see if any of my own information has been
pwnd?

------
sojmq
Nice clickbait. A database from a B2C provider, not personal texts from a
telco.

~~~
lightedman
What's the difference? Security breaches are security breaches, no matter
what.

