Skip to main content

Latest SMS breach could allow hackers access to your online accounts

how to send a text from your email account
kantver/123RF

More than 26 million text messages may have been breached as a result of an unsecured database operated by telecommunications company Vovox. Cybersecurity researcher Sebastien Kaul discovered that the unsecured database was not even password protected, and information contained within those messages include passwords in plain text, two-factor authentication codes, account security codes, tracking information for package shipments, account reset codes, and even medical appointment reminders. Notably, these messages include communications from banks, medical institutions and hospitals, Yahoo, Google, Microsoft, and Huawei.

When a developer sends a two-factor authentication code or when a user requests a login link via text messages, “it’s firms like Voxox that act as a gateway and converting those codes into text messages, to be passed on to the cell networks for delivery to the user’s phone,” TechCrunch noted of Vovox’s role in maintaining an unsecured database of SMS messages. SMS, which stands for short message service, is another name for text messages sent over a carrier’s network.

Vovox has since pulled the database, and at this time it’s unclear if any information contained within the database had been accessed by a malicious actor. In addition to having information about the recipient’s mobile number, the database potentially offered any hacker near real-time access to password reset links and two-factor authentication codes. This places many accounts at risk. Vovox cofounder and CTO Kevin Hertz told TechCrunch in an email that the company is investigating the breach and that it is also “evaluating impact.”

According to Kaul, the database contained records with detailed information about the message. “Each record was meticulously tagged and detailed, including the recipient’s cell phone number, the message, the Voxox customer who sent the message and the shortcode they used,” TechCrunch said.

Although when used with login credentials, SMS verification offers more protection than a merely using a username and password, more recently security experts have issued warnings about the vulnerability of SMS systems. Primarily, researchers have warned that SMS messages could be intercepted, and this latest breach is a prime example of that. As a result, experts say that utilizing authentication apps or hardware-based USB security keys, like Google’s Titan keys, are safer options when it comes to multi-factor authentication.

Chuong Nguyen
Silicon Valley-based technology reporter and Giants baseball fan who splits his time between Northern California and Southern…
Online payment fraud has doubled over the past seven years
A person holding a ThinkPad Nano X1 Gen 2 laptop in front of a window.

Online payment fraud increased 137% over the past seven years according to research conducted by SEON, a UK-based fraud prevention service.

SEON based its research on data from the Identity Threat Research Center and used it to identify data compromises that came from online payments.

Read more
This vulnerability allowed hackers to access every aspect of your Mac
The MacBook Air on a table in front of a window.

Apple just released an update for your Mac and MacBook that includes two important security fixes. The vulnerability is in MacOS Monterey and you need to have version 12.5.1 to keep your Mac safe from active exploits.

An active exploit is a computer security term that means this security flaw has already been found and used by hackers. While the full details of the vulnerabilities are being withheld to give people a chance to download the update, Apple did share some information about the issues.

Read more
Hackers have found a way to log into your Microsoft email account
A depiction of a hacker breaking into a system via the use of code.

Account holders for Microsoft email services are being targeted in a phishing campaign, according to security researchers from Zscaler's ThreatLabz group.

The objective behind the threat actors’ efforts is believed to be the breaching of corporate accounts in order to perform business email compromise (BEC) attacks.

Read more