Stories

Report: Database of login text messages left exposed online

Man with cellphone and laptop leans against wall with bicycle
Photo: Westend61 via Getty Images

A database containing millions of text messages used to authenticate users signing into websites was left exposed to the internet without a password, TechCrunch's Zack Whittaker reports.

Why it matters: What was at risk here were those text messages a bank might send customers after they entered a passwords, password reset links and other automated text messages sent by businesses. While there's no evidence that a malicious actor was monitoring the database, it was dangerous information to have exposed.

Details: The database belonged to the automated text message service Voxox. Per the report:

  • The database was discovered by security researcher Sébastien Kaul and remained online until Whittaker contacted Voxox.
  • The text messages included security codes sent by Fidelity Investments, Booking.com and Google.
  • Voxox had sent more than 26 million text messages to date this year.

But, but, but: Remember, these codes typically only remain active for a few minutes. So while the danger would be very real, only text messages that were being monitored as they were added to the database would put anyone's account at risk.