An improperly secured database owned by a California voice-over-internet provider left millions of customer call logs, SMS message logs and credentials in plain text open for months for the taking.
The database belongs to VOIPO, which provides mobile services for consumers and commercial businesses.
Security researcher Justin Paine said in a Tuesday post that he found the open ElasticSearch database using Shodan (a search engine for publicly available devices and databases), and contacted VOIPO on Jan. 8. The database had been exposed since June 2018, he said.
When the security leak was reported to VOIPO, the company acknowledged that a development server had been accidentally left publicly accessible, and took the server offline.
However, VOIPO CEO Timothy Dick told Threatpost that there were “significant inaccuracies” in Paine’s report, such as the timeline of the exposure – instead of months, the database had been “exposed for a small window of time.” The server contained data for database load testing made up of call logs (partial numbers only), SMS messages that the system flagged as SPAM and some general server log data, he said.
“The inaccuracies are so big (such as the server being exposed for 6 months when Google invoices/logs clearly prove otherwise) and the assumption that dev servers could connect to our production servers, the entire thing should be retracted,” said Dick.
Interested in learning more about data breach trends? Join the free Threatpost webinar on Wednesday, Jan. 23 at 2 p.m. ET, as editor Tom Spring examines the data breach epidemic with the help of noted breach hunter and cybersecurity expert Chris Vickery.
Up to 6.7 million call logs were exposed (including the partial numbers both called and received, time stamps and duration of the calls) going back to July 2017. Also exposed were 6 million SMS/MMS logs with the timestamp and content of the messages sent, going back to December 2015.
Paine also found nearly a million logs with references to internal hostnames, as well as plaintext usernames and passwords for those systems; and 1 million more logs containing API keys for internal systems.
“It is difficult to overstate the severity of this part of the leak,” said Paine. “Unless VOIPO had deployed adequate firewall protections (which this researcher did not test) to limit access to internal systems to a specific whitelist of IPs and/or a corporate VPN, then leaked internal hostnames in combination with the leaked usernames and passwords could have resulted in a near total compromise of all leaked production systems.”
VOIPO did not respond to a request for comment from Threatpost.
The data leak is reminiscent of a November data exposure by Voxox, a wholesale SMS provider. In that incident, a security researcher discovered a publicly-available database contained tens of millions of text messages, password reset links and more.
Publicly-accessible databases left accidentally open is an easy mistake to fix – but also one that’s seemingly too easy to make.
“It does not take much for outsiders to find unsecured databases and access sensitive information,” Stephan Chenette, CTO and co-founder at AttackIQ said in an email.
“Misconfigured security controls are an all too common problem,” he said. “Data leaks of any kind can undermine customer confidence and are usually caused by security issues, or in VOIPO’s case, technical errors, that are easily preventable. Unauthorized exposure of any type of customer data, for any period, is a serious issue and organizations should always have a plan to continuously assess the viability of their security controls.”
Interested in learning more about data breach/exposure trends? Join the free Threatpost webinar on Wednesday, Jan. 23 at 2 p.m. ET, as editor Tom Spring examines the data breach epidemic with the help of noted breach hunter and cybersecurity expert Chris Vickery. Vickery shares how companies can identify their own insecure data, remediate against a data breach and offers tips on protecting data against future attacks.
This story was updated on Friday Jan. 18 at 7:30 a.m. with comments from VOIPO’s CEO.