A massive trove of tens of millions of SMS text messages was found online, and, as they were stored in an unencrypted format, anyone who knew of their location could copy or read them. The news of the massive breach was reported by TechCrunch, which says the database of millions of SMS messages came from a company called TrueDialog.
TrueDialog provides SMS solutions to businesses and higher education institutions by allowing such organizations to not only communicate with their customers via SMS, but also allowing those customers to text the business back directly. As a result, the tens of millions of SMS messages left exposed contained a number of highly sensitive data about the receiver of the message. Such data included two-factor codes, university finance application data, job alerts, codes to access online medical services, password reset and login codes for Facebook and Google, email addresses, read receipt indicators, phone numbers, and more. Access to the SMS messages would have allowed malicious actors to impersonate the receiver.
The massive haul of exposed SMS messages was found by security researchers Noam Rotem and Ran Locar on November 26. After contacting TrueDialog but not hearing back from the company, TechCrunch contacted the company. It was only then that TrueDialog pulled the database offline.