Canadians are all too familiar with receiving automated text messages from many of the services they use. Large companies such as Uber and Google send these automated messages to their users in order to verify their identity, reset their passwords, or for marketing purposes.

Many businesses and public universities outsource this task to private companies such as TrueDialog. TrueDialog, which is based in Texas, was designed to allow companies, colleges, and universities to send bulk text messages to their customers and students.

On 1 December 2019 security researchers from vpnMentor revealed that they had found a database containing tens of millions of text messages sent through TrueDialog’s service. The database contained years worth of sent and received text messages from customers. The database was left on the internet without password protection. None of the data was encrypted.

The data contained sensitive information about university finance applications, codes to access online medical services, password reset and login codes for services including Facebook and Google.

The database also contained login credentials for TrueDialog customers, which would have allowed criminals to spoof as legitimate businesses.

TrueDialog is the largest provider of two-way text messaging services to businesses.

TrueDialog’s Response

After being contacted by reporters from TechCrunch, a technology news site, TrueDialog removed the database from the internet. Despite this, TrueDialogue has not commented on the data breach, and customers have not been informed that their data was exposed.

Due to TrueDialog’s lack of comment, it is not known how many customers were affected, or for how long customer data was exposed.

How Users Can Protect Themselves

This data breach highlights that using text messaging for services such as two-factor authentication may be convenient, it is unsecure. A criminal can hijack your SIM card, or have access to texts you receive through a service such as TrueDialog.

Rather than rely on text messages, users can opt to use authenticator apps (such as Google authenticator) on their smartphone, or use a physical token to secure their identity.

For more information please visit the vpnMentor site here.