The news broke yesterday that Voxox, a San Diego, California-based communications provider, left a database containing at least 26 million text messages, including password reset links, 2FA codes, shipping notifications and more exposed without a password. The exposure to personal information, phone numbers and 2FA codes in near-real-time could have put countless accounts at risk of hijack. Some websites only require a phone number to reset an account to meaning that this process could take just seconds. IT security experts commented below.
Jacob Serpa, Product Marketing Manager at Bitglass:
Over the past year, misconfigurations have grown in popularity as an attack vector across all industries. This highlights the reality that organizations are struggling with limited IT resources and consequently are susceptible to careless and reckless mistakes like misconfigurations. As such, companies must turn to flexible and cost-effective solutions that can help them to defend against data leakage; for example, cloud security posture management (CSPM), data loss prevention (DLP), user and entity behavior analytics (UEBA) and more. Only then can they be certain that their data is truly safe.”
Mark Weiner, CMO at Balbix:
It is mathematically impossible for humans to conduct the continuous monitoring of all IT assets and infrastructure needed to stay ahead of attack vectors—security platforms developed with artificial intelligence and machine learning are essential to support security teams, and proactively manage risk.”
Michael Magrath, Director, Global Regulations & Standards at OneSpan, Inc.:
“The fact that messages were sent in clear text with the ability to link one’s mobile phone number to a service provider opens the door to serious privacy infringements. The only good news to come out of this for California-based, Voxox is that these security infractions occurred before the California Consumer Privacy Act of 2018 goes into effect in January 2020. The Act defines “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The article cites that a password was sent in plaintext to a Los Angeles phone number by dating app Badoo, which would be in direct violation of the Act. Let’s hope the Badoo subscriber is not married. If so, they may be no longer.
“For convenience, many people reuse the same password across multiple websites. Intercepted passwords sent in plain text could open a user to account takeover at their bank, brokerage, and favorite e-commerce sites. Even more reasons why websites should accept strong authentication for users to access and make transactions. Technologies like Intelligent Adaptive Authentication — which analyzes and score hundreds of user, device, and transaction data in real-time to determine the precise authentication requirements for each transaction — are beneficial to organizations of all sizes while offering robust, risk-based security without compromising end-user convenience. With so many frictionless options commercially available, it is more of a question or “why not” rather than “when.”
Bimal Gandhi, Chief Executive Officer at Uniken: