A major security lapse has exposed millions of text messages and sensitive data like password reset links and the two-factor authentication codes. The leaked database was hosted on server of California-based firm, Voxox.
The sever was found on Shodan, a popular search engine for searching publicly available devices and databases. The server is also attached to one of the Voxox’s subdomains. A report by TechCrunch suggests that the leaky database contains nearly 26 million text messages along with their timestamps. The reason behind the leak is that the server was not password-protected, allowing anyone to snoop on the data.
Voxox server is running on Amazon’s Elasticsearch, making it easier to search and read the specific details from the database. The database configured with a Kibana front-end makes it super easy for anyone to browser and search database by names, cell numbers, and specific contents of text messages. A Berlin-based security researcher, Sébastien Kaul reported the leaky database.
Internet users are often made to believe that two-factor authentication (2FA) is most secure. But Voxox server database contains 2FA text messages of millions of users. The compromise data includes 2FA authentication codes. If this data goes in the wrong hands, it could even lead to massive account takeovers.
Internet platforms like HQ Trivia, and Viber partner with tech providers like Telesign and Nexmo to either verify user’s phone number or send a two-factor authentication code. Voxox acts as a gateway to send and convert codes into text messages.
Each record of the text messages is properly tagged and includes recipient’s phone numbers. TechCrunch investigation found messages containing Microsoft account reset codes, Huawei ID verification codes. A number of hospitals send reminders to patients about upcoming appointments and billing inquiries. The text messages contain theses details as well.
Voxox is now investigating the matter and according to Kevin Hertz, the co-founder and CTO, the company has pulled the databases offline.
Source - Techgig