IdentifyMobile incident exposed 200M records from hundreds of companies

Imagine someone gaining access to your online banking account, your private email, or your social media profiles. Despite your efforts to secure these accounts with both a password and an additional one-time password sent via SMS, this disturbing scenario is unfortunately possible.

The issue stems from the British bulk SMS provider IdentifyMobile, which handles a substantial volume of SMS traffic daily for numerous major clients. Many of these messages are part of two-factor authentication (2FA) processes, which add an extra layer of security by sending a second authentication factor via SMS.

However, the Chaos Computer Club (CCC) discovered a critical security lapse. Every SMS IdentifyMobile sent on its clients’ behalf since August 2023 was stored on an unsecured Amazon Web Services (AWS) S3 server. This server was accessible to anyone between May 10 and May 15, 2024, who knew its web address, with no passwords or encryption to protect the data.

The CCC, a well-known security research organization, published its report today stating that it had live access to over 200 million SMS messages from more than 200 companies.

According to CCC, the exposed data included not only SMS message content but also phone numbers, sender names, and sometimes other account information.

This aligns with our recent report on Twilio, which alerted users on July 3 to a security incident involving one of its third-party carriers, iBasis, via IdentifyMobile.

“We conducted a thorough investigation in partnership with iBasis, and based on our findings, we believe that none of your messages containing personal data were exposed. While we have taken every measure to verify this, we cannot completely rule out the possibility of personal data exposure,” Twilio said in their security alert.

CCC findings

CCC found that IdentifyMobile, a downstream carrier employed by iBasis—one of Twilio’s backup carriers—had inadvertently enabled public access to an AWS S3 bucket during development work.

The CCC, being at the right place at the right time, accessed this data by simply guessing the subdomain “idmdatastore.” This exposed the SMS content and recipients’ phone numbers, sender names, and sometimes other account information.

To truly misuse the SMS codes, attackers would typically still need the password. However, “1-click login” links were also included in the data. For some large affected companies, only individual services were protected by IdentifyMobile.

Over 200 companies were affected, including prominent names like Google, Amazon, Facebook, Microsoft, Telegram, Airbnb, FedEx, and DHL. In total, over 198 million SMS messages were leaked.

CCC disclosed that they saw SMS contents such as:

  • WhatsApp codes
  • Transaction authorization numbers (TANs) for financial transactions
  • “1-click login” links

For example, they were able to access SMS content like this:

WhatsApp code: 2342
You can also tap on this link to verify your phone:
Do not share this code.
Transfer to DE63 4306 0967 1239 7690 03
Amount: 1,312.00 EUR
TAN: 161161
Please enter this TAN to complete the transaction.
This TAN is valid for 5 minutes.

Such information could have been abused in several ways. An attacker accessing WhatsApp verification codes could take over user accounts, leading to unauthorized access to private conversations and contacts. Similarly, TAN (Transaction Authentication Number) codes for financial transactions could allow attackers to authorize fraudulent transactions, transferring money to accounts under their control.

Admittedly, these SMS contents were exposed for only a few days, from May 10 to May 15, 2024. However, even this brief window represents a serious security lapse. During these few days, attackers could have accessed sensitive information and created backups of it—CCC has not mentioned what else was stored in the AWS bucket.

The CCC researchers confirmed that they did not retain the accessed data but cannot rule out the possibility that others may have accessed it.

The situation raises questions about data handling practices, mainly why the SMS messages were saved unprotected in the first place. There has been no comment or any follow-ups from either IdentifyMobile or Twilio.

We’ve already tried to get a comment from IdentifyMobile once the Twilio alert was sent to users, but they have not acknowledged it. Twilio has also not made any official security bulletins on their site, even though they made one for the Authy breach.


Related stories
1 week ago - In a recent email notification to its users, as seen by Stack Diary, Twilio has disclosed a security incident involving... The post Twilio issues an alert about a security incident with a 3rd party carrier appeared first on Stack Diary.
Other stories
10 minutes ago - Excel-lent, Smithers, have we fired accounting yet? Researchers at Microsoft have developed a framework designed to make it easier for large language models (LLMs) to analyze the content of spreadsheets and perform data management and...
55 minutes ago - Not the real Satoshi — UK judge refers Wright to prosecutors, suggests arrest warrant and...
55 minutes ago - still processing — Ryzen 9000 will also have more overclocking headroom, for those interested. ...
55 minutes ago - Seismic information now allows us to make a planet-wide estimate of impact rates.
55 minutes ago - The 20 best Prime Day speaker deals we've reviewed in 2024  EngadgetAmazon Prime Day 2024: the best deals under $50  The VergeThe Best Prime Day Speaker Deals To Shop Right Now  ForbesOne of Our Favorite Bose Bluetooth Speakers Is $50 Off...