A researcher discovers that Voipo, a communications provider based in Lake Forest, Calif., Has left a server with millions of call logs, SMS and more exposed for months.


An unprotected server storing millions of call logs and text messages was left open for months before being discovered by a security researcher.

If you thought you had heard this story before, you are not wrong. In November, Voxox, another telecommunications company, exposed a database containing millions of text messages, including password resets and two-factor codes.

This time, it's a different company: Voipo, a communications provider in Lake Forest, California, has exposed customer data worth tens of gigabytes.

Security Researcher Justin Paine discovered the database exposed last week and contacted the technical director of the company. Yet the database was disconnected even before Paine told him where to look.

Voipo is a voice provider on the Internet, providing residential and business phone line services that they can control themselves in the cloud. The company's background routes calls and processes text messages intended for its users. But since one of the background ElasticSearch databases was not password protected, anyone could watch and see real-time call log streams and text messages exchanged back.

This is one of the biggest data breaches of the year – with nearly seven million call logs, six million SMS and other internal documents containing unencrypted passwords that, if were used, could have allowed an attacker to obtain extended access to the company's systems.

TechCrunch examined some of the data and found web addresses in the logs directly to the client's login pages. (We did not use authentication information because it would be illegal.)

Paine said, and noted in his article, that the database was on display since June 2018 and that it contained logs of calls and messages dating back to May 2015. He told TechCrunch that newspapers were updated daily and dated back to January 8 – the same day. the database has been disconnected. Most files contain very detailed call records indicating who called who, the date and time, and so on.

A newspaper showing an incoming call. (Screenshot: TechCrunch.Data: Justin Paine)

Some numbers in the call logs were erased, added Paine, but the text message logs contained the numbers of the sender and the recipient, as well as the contents of the message.

An SMS sent just after the New Year. (Screenshot: TechCrunch.Data: Justin Paine)

Similar to the Voxox breach last year, Paine said that any intercepted text message containing two-factor codes or password reset links would then have "allowed the attacker to bypass the two-factor factor on the user's account ". (Another good reason to upgrade to application-based authentication.)

But Paine did not do extensive research in the files, concerned about the privacy of customers.

The logs also contained identification information to access the Voipo E911 service provider, which allows the emergency services to know the pre-recorded location of a person in the area. according to his phone number. Worse, he said, E911 services could have been disabled, preventing customers from using the service in case of emergency.

Another file contained a list of network appliance devices with plain text usernames and passwords. A cursory review showed that the files and journals contained meticulously detailed and invasive insights into the affairs of a person or company, their interlocutors and often for what reason.

Yet none of the data has been encrypted.

In an email, the CEO of Voipo, Timothy Dick, confirmed the data exposure, adding that it was "a development server and was not part of our production network ". Paine challenges this, given the details and the amount of data exposed in the database. TechCrunch also has no reason to believe that the data is not real customer data.

Dick said in an email to TechCrunch: "Almost immediately after contacting us to inform us that the dev server was exposed, we put it offline, we investigated and fixed the problem." He added: "At the moment, we have not found any evidence in the newspapers or on our network to indicate that a data breach has occurred."

Despite his repeated requests, Dick did not specify how the company had concluded that no one else had access to the data.

Dick also stated: "All our systems are protected by firewalls and the like and do not even allow external connections, except for internal servers." Even though the host names were listed, it would not be possible to log in and our logs would show no connection. " (When we checked, many internal systems with IP or Web addresses that we checked were loaded, even though we were outside the alleged firewall.)

However, in an email to Paine, Dick conceded that some of the data on the server "appeared to be valid".

Dick is not committed to informing the authorities of the state's exposure to data breach notification laws.

"We will continue to investigate and if we find evidence of an offense or anything in our newspapers that indicate one, we will of course take the measures that are required to remedy the situation. . [and] make notifications, "he said.

Do you have a tip? You can send tips safely through Signal and WhatsApp at +1 646-755-8849. You can also send an e-mail to PGP with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.