Vovox has reportedly exposed over 26 million texts belonging to its customers which include Microsoft, Amazon, and Google.
The Big Blunder
In an shockingly negligent act, Vovox, the communications giant reportedly did not safeguard its server with a password and as a result, personal data such as phone numbers, messages and much more were accessible through Shodan, a search engine that works on the IoT concept. Furthermore, it was only after being approached by TechCrunch that Vovox pulled it down.
These text messages included sensitive information such as temporary passwords, verification codes, password reset links and shipping details shared by the users of Vovox’s clients. This is a clear breach of private and sensitive personal data that put a massive number of users at risk.
How do SMS-Based 2-Factor Verifications work?
Typically, IT Giants such as Google, Microsoft and Amazon outsource their data management to firms like Vovox. This includes verification of phone numbers and the 2 Factor verification codes. These IT giants trust firms like Vovox to act as a secure gateway in order to authenticate the login credentials. Now with the unveiling of this exposure, we also know that sometimes the IT giants fail to monitor these vendors.
This leak was uncovered by Sebastien Kaul, a Berlin-based security researcher. It is astonishing that none of these premier clients of Vovox had a designated or deployed a team to oversee and monitor the efficiency of data security services provided by Vovox. That could have helped curb this issue much earlier. What’s worse is that the aforementioned 26 million messages were also found on one of the subdomains of Vovox.
According to TechCrunch, Kevin Hertz, the CTO of Vovox stated the following:
“looking into the issue and following standard data breach policy at the moment,” and that Vovox is “evaluating impact.”
With this revelation, it shows that it is not always safe to transact online as one could end up risking one’s personal and sensitive data resulting in the account being hijacked. In fact, many experts advise that it is high time that the 2-Way verification was replaced with an effective alternative.
Let us know your thoughts on this news in the comments section.