According to researchers at privacy firm vpnMentor, millions of Americans’ data is at risk following the discovery of a breached database belonging to TrueDialog. TrueDialog is “the leading SMS provider for mass text messaging, SMS marketing and personalized 2-way SMS texting at scale.”

vpnMentor’s research team, led by Noam Rotem and Ran Locar, discovered the database, which was linked to “many aspects” of TrueDialog’s business. The database had “millions of account usernames and passwords, PII data of TrueDialog users and their customers, and much more.”

The researchers found the database as part of a web mapping project, using port scanning “to examine particular IP blocks and test open holes in systems for weaknesses.” As ethical hackers, the company tries to identify breaches in an effort to make the web safer. Once a breach is found, they verify the database’s identity and alert the company who owns it.

In the case of TrueDialog’s database, vpnMentor was able to access it because it was left “completely unsecured and unencrypted.” The database was 604 GB in size and “included nearly 1 billion entries of highly sensitive data.” The entries included account login details, full names, TrueDialog account holders and users, message contents, email addresses, time stamps of sent messages and more.

vpnMentor says the type of data could make it possible for bad actors to take over TrueDialog customer accounts, engage in corporate espionage, steal identities, run phishing scams and blackmail users.

Once the researchers verified the threat level, they reached out to TrueDialog to notify them and offer assistance in securing the database. Shortly after, access to the database was shut down, although TrueDialog never contacted vpnMentor.

The Takeaway

There are several lessons to be learned from TrueDialog’s data breach.

• First and foremost, it is beyond shocking and inexcusable for a company of TrueDialog’s size and resources to be so irresponsible with customer data. There is simply no justification for leaving data—let alone highly sensitive data—unencrypted and exposed for the world to see.
• As a general rule, when privacy researchers alert a company of a data breach, it’s never a good idea to ignore them. Even if steps are taken to fix the issue, ignoring the researchers who found it gives the impression the company doesn’t care or has something to hide.
• Going silent is never a good response. TechCrunch was just one outlet that reached out to TrueDialog’s chief executive, John Wright, for comment. At the time of writing, John Wright and TrueDialog had not returned requests for comment or even acknowledged the breach. Wright also did not answer any of TechCrunch’s questions about what steps would be taken to alert impacted users, or notify regulators.

In short, if there’s a single point to take away from TrueDialog’s experience, it’s this: Don’t do anything TrueDialog has done in this case.