A researcher has discovered an exposed database containing gigabytes of call logs, SMS data, and internal system credentials belonging to US Voice-over-IP (VoIP) service provider VOIPo.com.
It’s become a familiar story – a researcher trawls Shodan for something left out in the open that shouldn’t have been and is amazed at what they find.
This time the finder was Cloudflare’s Justin Paine, who on 8 January used this technique to spot an unsecured (i.e. not password protected) Elasticsearch server containing nearly 15 million documents.
This included what appear to be customer logs dating back to July 2018, and SMS/MMS logs (including time and message content) dating back to December 2015. A sample SMS published by Paine appears to be a marketing message:
Phat Panda Platinum series has arrived!! Perfect way to bring in the New Year!
Most phone numbers were partially redacted, but those in SMS logs were full numbers.
Separately, news site TechCrunch looked at the data and found credentials for customer login pages, which is why anyone who uses VOIPo should change their passwords as a precaution.
Ironically, the biggest danger of all was probably to VOIPo itself.
One index comprising a million documents contained more valuable data such as internal hostnames, usernames, passwords, and API keys.
Paine believes this part of the data was exposed on 3 June 2018, which means it was left in an unprotected state for six months.
Hypothetically, this could have exposed VOIPo in various ways, including its billing, DNS infrastructure, e911 system, as well as its customers being exposed to convincing phishing attacks. Writes Paine:
It is difficult to overstate the severity of this part of the leak.
This is speculation, of course, because there is no evidence any of this came to pass.
After contacting VOIPo on the same day the data was discovered, 8 January, the company took the exposed database offline.
In an email to Paine, it said the data was on a development server accidentally left exposed and confirmed that it contained valid production data, without elaborating.
Separately VOIPo CEO Timothy Dick told Techcrunch that the company had seen no evidence that any of the data had been breached without explaining how he was certain of this.
At this time though, we have not found any evidence in logs or on our network to indicate that a data breach occurred.
What to do
As suggested, it’s wise for VOIPo customers to change their account passwords. We’d also recommend setting up two-factor authentication, assuming VOIPo offers this.
This is the second incident involving companies in this sector exposing data on Elasticsearch after another US company, Voxox (formerly Telcentris), suffered a similar fate in November.
Beyond this, databases left on cloud services in an unsecured state have become the configuration screw-up of the era.
In September, it emerged that Veeam had left 200GB of customer data exposed on a Mongo AWS database.
In 2017, researchers discovered another database on AWS exposing the medical data of 918,000 patients.
There have been others too, all noticed by researchers using tools that any cybercriminal would have access to. Let’s indulge a statement of the obvious by saying this should be avoidable.