Voxox, a VOIP and cloud communication provider of wholesale SMS and voice services, exposed a massive database of tens of millions of text messages containing a wide range of highly sensitive info such as plaintext passwords, 2FA codes, password reset codes, phone numbers, and verification codes.
The database exposed to public access was stored on an unprotected server found by security researcher Sébastien Kaul with the help of the Shodan Internet-connected device search engine.
Moreover, as first reported by TechCrunch's Zack Whittaker, the text message database found by Kaul on the open Internet provided anyone who accessed it with an almost real-time view of all the information going through Voxox's SMS gateway.
As discovered by Kaul, the server was running an Amazon Elasticsearch managed service used for deploying a distributed data search and analytics engine, with the open source Kibana data visualization plugin enabled for quick and straightforward database analysis.
This meant that anyone who would have stumbled on the exposed database with enough knowledge to use Elasticsearch could have used it as a search engine for finding anything from names and phone numbers to shipping details and passwords in plain text.
SMS-based two-factor authentication? No, thanks!
"At the time of its closure, the database appeared to have a little over 26 million text messages year-to-date," as reported by Whitaker. "But the sheer volume of messages processed through the platform per minute — as seen through the database’s visual front-end — suggests that this figure may be higher."
The biggest issue Voxox's data breach brings into the spotlight is the easiness with which a targeted operation could have compromised this virtual trove of very sensitive info and abuse it without anyone knowing, completely hijacking entire 2FA systems with one swift move.
This could have already happened before Kaul found the database and Voxox took the exposed database offline, especially seeing that there is no information available regarding the range of time the server was publicly accessible.
Moral of the story? If you care about your two-factor authentication codes, passwords, shipping Information, or phone numbers, don't use SMS-based 2FA.
You're a lot better of using a two-factor authentication app such as Authy, Google Authenticator, or LastPass Authenticator given that they don't use any gateways that can be compromised at any given time.