A Leaky Database of SMS Text Messages Exposed Password Resets and Two-Factor Codes

A database which contained millions of text messages used to authenticate users signing into websites was left exposed to the internet without a password. From the report: The exposed server belongs to Voxox (formerly Telcentris), a San Diego, Calif.-based communications company. The server wasn't protected with a password, allowing anyone who knew where to look to peek in and snoop on a near-real-time stream of text messages. For Sebastien Kaul, a Berlin-based security researcher, it didn't take long to find. Although Kaul found the exposed server on Shodan, a search engine for publicly available devices and databases, it was also attached to to one of Voxox's own subdomains. Worse, the database -- running on Amazon's Elasticsearch -- was configured with a Kibana front-end, making the data within easily readable, browsable and searchable for names, cell numbers and the contents of the text messages themselves.

Re:Dear Slashdot Users

[noodlesup]

Brian Krebs' blog is always a good read https://krebsonsecurity.com/

And? Who goes to prison?

[gweihir]

Nobody? Then this is obviously perfectly acceptable and even negligence this extremely gross is not anything to worry about.

Re:And? Who goes to prison?

[scamper_22]

That's really looking at the problem in retrospect. We have dealt with quality of infrastructure for a long time in the developed world.

What you need are licensed people for such areas; especially things that are open to the public.

You're not building a bridge without a proper license.
You're not building a high rise without a proper license. ...

Sure, you can do some stuff on your own with basic home repair or a shed.

With licensing, then you have a case for negligence.

Yes, I really do think you should need a license to put up a public website that holds personally data.