The news was recently reported that Voipo, a Lake Forest, California-based communications provider, left a database containing seven million call logs, six million text messages and other internal documents containing unencrypted passwords unprotected without a password. The database was exposed since June 2018 and contains call and message logs dating back to May 2015.
Just like last year’s Voxox breach, any intercepted text messages containing 2FA codes or password reset links could have allowed the attacker to hijack a user’s account.
Experts Comments below:
Stephan Chenette, CTO and Co-founder at AttackIQ:
“It does not take much for outsiders to find unsecured databases and access sensitive information. In fact, there are now tools designed to detect misconfigurations within cloud-tools like Amazon’s S3. Voipo’s misconfiguration left millions of call logs, text messages and other internal documents containing unencrypted passwords out in the open, compromising the account security of millions.
Misconfigured security controls are an all too common problem. Organizations are increasingly struggling with limited and under trained IT resources that lead to using default account passwords, unpatched systems, and poorly configured network devices. Data leaks of any kind can undermine customer confidence and are usually caused by security issues, or in Voipo’s case, technical errors, that are easily preventable. Unauthorized exposure of any type of customer data, for any period, is a serious issue and organizations should always have a plan to continuously assess the viability of their security controls.”
Ruchika Mishra, Director of Products and Solutions at Balbix:
“The millions of exposed call logs, text messages and other internal documents containing unencrypted passwords render the impacted individuals easy targets for threat actors engaged in account hijacking. Although Voipo claims there is no evidence to indicate a breach occurred, the company cannot guarantee that no unauthorized users accessed the data, especially since it was left unsecured and easily available for months. Voipo and its customers might still be secure if the company had early visibility into vulnerabilities across its entire attack surface — including passwords and unencrypted data — and been able to correct them right away.
It is mathematically impossible for humans to conduct the continuous monitoring of all IT assets and infrastructure needed to stay ahead of all attack vectors—thus security platforms developed with artificial intelligence and machine learning are essential to support security teams, and proactively prevent breaches and data leaks such as this.”
Rich Campagna, CMO at Bitglass:
“Voipo is yet another example of a company that exposed massive amounts of sensitive consumer data because of a simple security mistake. Leaving a database publicly accessible is unacceptable – even smaller companies with limited IT resources must ensure that they are properly securing data. As such, they must turn to flexible, cost-effective solutions that can prevent data leakage. Fortunately, leading cloud access security brokers (CASBs) boast features like cloud security posture management (CSPM), data loss prevention (DLP), user and entity behavior analytics (UEBA), and encryption of data at rest. It is only with these types of capabilities that an enterprise can be certain that its data is truly safe.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.