Huge Database with Millions of Personal Data Left Unprotected for Months

(TechCrunch, 15/01/2019) reports:

An unprotected and exposed server storing millions of call logs and text messages has been found by a security researcher. […]

Back in November, another telecoms company, Voxox, exposed a database containing millions of text messages — including password resets and two-factor codes.

This time around, it’s a different company: Voipo, a Lake Forest, Calif. communications provider, exposed tens of gigabytes worth of customer data. […] Security researcher Justin Paine found the exposed database last week […]

Voipo is a voice-over-internet provider, providing residential and business phone line services that they can control themselves in the cloud. […] But because one of the backend ElasticSearch databases wasn’t protected with a password, anyone could look in and see streams of real-time call logs and text messages sent back and forth.

It’s one of the largest data breaches of the year — so far — totaling close to seven million call logs, six million text messages and other internal documents containing unencrypted passwords that if used could have allowed an attacker to gain deep access to the company’s systems.

Paine said, and noted in his write-up, that the database contains call and message logs dating back to May 2015 […] and went up to January 8 — the day the database was pulled offline. […]

Another file contained a list of network appliance devices with usernames and passwords in plaintext. A cursory review showed that the files and logs contained a meticulously detailed and invasive insight into a person or company’s business, who they’re talking to and often for what reason.

Yet, none of the data was encrypted. […]