A massive Data-Archives storing tens of millions of text messages, most of which were sent by businesses to potential customers, has been found online.
Data archives operated by a company that is an SMS service provider for businesses and higher education providers and allows universities, companies, colleges to send bulk text messages to their customers and students. The company based in Austin, Texas declared that of the benefits to its services is that the recipients can also text back. It basically allows them to achieve two-way communication with businesses. The Data-Archives stored years of sent and received text messages from its customers and processed by TrueDialog. But because the Data-Archives were left unprotected on the internet without a password, none of the data was encrypted and anyone could look inside. Earlier this month security researchers found that the exposed Data-Archives the part of their internet scanning efforts and observed that a portion of the data, which had detailed logs of messages sent by customers, including phone numbers and text-message contents.
The Data-Archives had information about marketing messages from businesses with discount codes, university finance applications, and job alerts. However, the data also had sensitive text messages, such as security codes and two-factor codes. The viewer can easily achieve online access to that person’s online accounts and the list goes on and on with the codes to access online medical services and password reset and login credentials for various websites such as Gmail and Facebook accounts. It is extremely easy to read the entire chain of conversations with the help of the unique conversation code in two-way message conversations only one log table had millions of text-messages. When Security Researchersinformed TrueDialog about their exposure, they rapidly pulled the Data-Archives offline. The worst part is that in this entire dilemma chief executive officer of the company was silent and was not ready to acknowledge the trespass neither returned any promising answer to the comment. He didn’t even answer, whether the company would follow state data trespass notification laws and inform their customers about the security lapse.
Unfortunately, this is only one company amongst others who have sensitive consumer information on stake and cared less to take necessary security measures and left sensitive text-messages on the internet, so that it can be accessed by anyone. It is yet another example of how the text-messages can be convenient, but it can be compromised so easily due to the carelessness of various text-message service providers.
A Cyber-Invasion on Mix-cloud audio streaming platform based in the United Kingdom has threatened the security and privacy of more than million user accounts and after several minutes the stolen data was on sale over the Dark-web. This actually happens earlier in November and as per the statement received from the seller at the Dark-web, who also supplied a portion of the data, allowing us to examine and verify the authenticity of the data. The data contained login credentials, email addresses, and the login credentials that appeared to be scrambled with the SHA-2 algorithm, making the login credentials nearly impossible to unscramble. All those data files contained sensitive details such as sign-up dates for the accounts and the login date. In addition to that is also had the information about the country from which the client accessed the account including their TCP/IP address and a direct link to their profile picture. However, the company doesn’t force its users to verify their email addresses.
The exact amount of data stolen from the companies’ Data-archives is still unknown. But, as per the information disclosed by an anonymous seller on the Dark-Web, that the total amount of stolen data crossed 25 million and all of them were on sale on the Dark-Web. The data was set for an auction on the Dark-Web and the highest bidder in bitcoin can have direct access to the private data of various consumers. It’s the latest in a string of high profile Data Trespass in recent months. The trespassed data came from the same Dark-web seller who also alerted TechCrunch to the StockXtrespass earlier this year. It was earlier stated by the apparel trading company the consumer wide password reset was only for system maintenance. However, later they had to confirm that they were compromised and their incompetence resulted in a Data exposure of an immense amount of records. The spokesperson of Mixcloud maintained her silence and did not comment. She also failed to answer any of the questions, including if the company has any plans to inform customers as per the U.S. state and EU Data Trespass notification laws. The co-founder of the company also maintained his silence. As a London-based company, Mixcloud falls under the U.K. and European data protection rules, the companies will be fined approximately 4% of their yearly turnover. If they violate the rules set by the European GDPR.
In our years of covering web security, there is one lie we have encountered several times. In which many companies state that they take your privacy and security very seriously and the funny thing is that by now most of the consumers known that it’s a blunder. One might have heard that phrase on various occasions and it is basically a common statement used by multiple companies in their wake of a Data-Trespass. The companies always include that quote in their email and also on their website that they care about your privacy. But, the harsh reality is that they don’t really give a crap about your privacy and instead many companies have been found misusing your data. Many companies have been also fined on selling private information of their consumers for more profits. We never understood the exact meaning of that quote made by various companies. Honestly, if all the companies really cared about your privacy, then the data-hungry companies like Google and Facebook, have to stop selling consumer’s private data to the advertisers. Even after reading all this, if some of you still want to reside under the bubble and want to think that all the allegations are incorrect and the companies are those fluffy angels who can’t lie to you, then you might want to see the data which we have created by scraping each report notified to the California attorney general’s office, which comes under requirements of state law; in the events such as a trespassing of security. Approximately one-fourth of all data trespass notification had some variations stating that the company doesn’t really care about your privacy. It displays that they don’t even know their next step.
Let me just provide you another perfect example of the incompetence of a company: Last week, recently many clients of OkCupid complained that their accounts were compromised. In addition to that their accounts were hit by credential stuffing, where Cyber-Criminals take lists of login credentials and try to brute-force their way into consumer’s accounts. Various organizations have learned from such strikes and took the time to improve their account security, such as rolling out two-factor authentication. Instead, OkCupid’s response was to defend, deflect and deny, the common way for organizations to leave negative stories behind. It looked like this:
The Company states that almost every website has to deal with attempts related to account takeover
Later Company said to another publication that there is no strong evidence supporting the Story.
The company maintained its silence when asked for further steps to overcome this issue.
Unfortunately, today every company like this one has long neglected security issue and constant denial and assurance is their policy to deal with such issues where the customer who trusted them with their private details is on stake. Most of the trespasses happen, due to careless behavior and weak security measures. Cyber-Criminals have been advancing in their techniques every day and on the other hand, these companies who the customer entrusted with their private information are doing nothing but giving fake assurance. The companies can also reach out to the customer for this and educate their customers about the bugs and they instruct them to report a bug immediately. Every start-up project should take security measures very seriously right from the beginning, so in the future, they can achieve invulnerable security for their data archives. Even most successful companies ignore these issues and rather take an escape window of paying fines. I think by now the companies have to understand the seriousness of these issues and instead of ignoring this, they have to employ a proper development team to strengthen their security measures. However, again with a lack of incentive to change, these organizations will continue to hide their faces beneath the ground stating everything is okay when they have to do something to prevent such negativity.