Skip to main content

Latest SMS breach could allow hackers access to your online accounts

how to send a text from your email account

More than 26 million text messages may have been breached as a result of an unsecured database operated by telecommunications company Vovox. Cybersecurity researcher Sebastien Kaul discovered that the unsecured database was not even password protected, and information contained within those messages include passwords in plain text, two-factor authentication codes, account security codes, tracking information for package shipments, account reset codes, and even medical appointment reminders. Notably, these messages include communications from banks, medical institutions and hospitals, Yahoo, Google, Microsoft, and Huawei.

When a developer sends a two-factor authentication code or when a user requests a login link via text messages, “it’s firms like Voxox that act as a gateway and converting those codes into text messages, to be passed on to the cell networks for delivery to the user’s phone,” TechCrunch noted of Vovox’s role in maintaining an unsecured database of SMS messages. SMS, which stands for short message service, is another name for text messages sent over a carrier’s network.

Vovox has since pulled the database, and at this time it’s unclear if any information contained within the database had been accessed by a malicious actor. In addition to having information about the recipient’s mobile number, the database potentially offered any hacker near real-time access to password reset links and two-factor authentication codes. This places many accounts at risk. Vovox cofounder and CTO Kevin Hertz told TechCrunch in an email that the company is investigating the breach and that it is also “evaluating impact.”

According to Kaul, the database contained records with detailed information about the message. “Each record was meticulously tagged and detailed, including the recipient’s cell phone number, the message, the Voxox customer who sent the message and the shortcode they used,” TechCrunch said.

Although when used with login credentials, SMS verification offers more protection than a merely using a username and password, more recently security experts have issued warnings about the vulnerability of SMS systems. Primarily, researchers have warned that SMS messages could be intercepted, and this latest breach is a prime example of that. As a result, experts say that utilizing authentication apps or hardware-based USB security keys, like Google’s Titan keys, are safer options when it comes to multi-factor authentication.

Editors' Recommendations

Chuong Nguyen
Silicon Valley-based technology reporter and Giants baseball fan who splits his time between Northern California and Southern…
Hackers have found a way to log into your Microsoft email account
A depiction of a hacker breaking into a system via the use of code.

Account holders for Microsoft email services are being targeted in a phishing campaign, according to security researchers from Zscaler's ThreatLabz group.

The objective behind the threat actors’ efforts is believed to be the breaching of corporate accounts in order to perform business email compromise (BEC) attacks.

Read more
A data breach can cost millions of dollars — and you might be paying it
A dark mystery hand typing on a laptop computer at night.

According to a recent report from IBM Security, data breach costs are constantly on the rise. Unfortunately, this spells bad news not just for the companies involved, but also for the customers -- in more ways than one.

The report, which states that an average data breach is now estimated to cost $4.4 million, exposes the fact that the skyrocketing costs of data breaches directly affect the prices paid by the end customer.

Read more
Researchers say your GPU could expose private info online
The new Nvidia GeForce MX570 chip.

In an age of increased online privacy awareness, many of us are conscious of our digital fingerprints and prefer not to be tracked. However, it may not be as simple as it previously seemed.

An international team of researchers has found that users can be tracked down by their graphics cards. This is done through a new technique referred to as "GPU fingerprinting."

Read more