Voipo Database Exposed Millions of SMS messages and Call Logs

It seems like every day we hear worse news about how companies handle our data. This time around, the VoIP company, Voipo, had apparently left one of their servers public for months. This exposed millions of SMS messages, Call logs, and other highly personal data. Read on for the full story.

Voipo’s Exposed Database – Full Story

Security researcher Justin Paine recently found that Voipo had a database that was exposing gigabytes of customer data. The company, which provides consumer and business phone line services accessible on the cloud.

Paine discovered that one of their backend databases had no password protection That basically means that anyone was able to access the database and all of the information it holds. Here is the type of information Paine saw on the database:

• 1M documents containing logs with API keys for internal systems.
• 6M documents containing SMS/MMS timestamps and content going back to 2015.
• 1M documents containing internal hostnames, some with their plaintext usernames and passwords.
• 6.7M documents containing call logs and their metadata (“partial originating # partial destination #, timestamp, duration of call”).

While some of the information is from 2015, the database itself has been exposed since June 2018. The good news is that Voipo shut down access to the database the moment Paine informed the company’s chief technology officer.

How Did Voipo Respond?

Voipo released a statement assuring its customers that the server in question was a developmental server. In other words, Voipo is stating that most of the information on the server did not come from their customers but is data they put in to test out their own services.

Now, here’s where it gets a little…odd.

Voipo’s statement seems to be a reply to TechCrunch writer Zack Whittaker. In the statement, Voipo made it seem like Whittaker’s report on the incident did not properly reflect the situation. The company said that the server did not show real-life data or leak customer information. Additionally, it assured its customers that the data found was mostly simulated.

“This was an isolated dev server and our production environment and the rest of our network was not at risk. All production systems remained firewalled and secured and it would not have been possible for connections to those systems.”

With regards to its customers, Voipo said,

“If we find any indication that customers may have been impacted or had any information accessed (such as an SMS message that our system flagged as SPAM primarily due to the very limited scope of what was on the server), we will notify users. At the time though, we have no reason to believe any customers were impacted based on log data and analysis.”

However, Whittaker had done his own digging into the data and found evidence that Voipo’s statement isn’t very clear. In fact, he tweeted his response showing “14 misleading or false statements in Voipo’s statement”. He mostly focused on how the company refuses to fully acknowledge this incident as a breach and how it isn’t being forthright with what the data on the database included.

Viopo’s Exposed Database – Final Thoughts

No one is 100% safe from hacks. Sometimes, companies learn of a vulnerability after they discover a hack or a breach. However, you usually expect the company to come to terms with the hack. You expect an explanation, a public apology, and a confirmation that the company is working with the authorities to figure out what happened.

However, Voipo did not do that. It didn’t report the incident to the authorities because it has “no reason to believe that any customers were impacted”. That’s right, a database being public for months isn’t reason enough for them. Hopefully, we’ll get a more transparent statement from them soon. In the meantime, feel free to check out the VoIP apps that you can trust to keep your privacy and your security.