Sure, it’s early yet, but 2019 can award the crown for “Largest Data Breach” to a Lake Forest, California company called Voipo. The voice-over-internet company provides cloud-controlled phone lines for residences and businesses, and its customers’ text messages and call data is stored on its backend servers. A cybersecurity researcher not related to the company stumbled upon one of its servers unprotected in the wild.
The researcher determined that the server had been exposed since June 2018, and he found that it held a backlog of information stretching all the way to May 2015. The database not only contained unencrypted information detailing seven million call logs and six million texts, but it also consisted of various internal documents with sensitive info like passwords on them, also unencrypted.
The exposed server was an ElasticSearch database. Back in November, we reported on another ElasticSearch server found exposed online, exposing an incredible 57 million personal records and 26 million business records. While the Voipo data breach was not as large, it still put millions upon millions of users at risk. The researcher who discovered the database reports that any user who came across it could see real-time info, such as text messages being sent back and forth. The call logs on the breached server were apparently updated daily through January 8, 2019.
Despite evidence proving the opposite, Voipo CEO Timothy Dick insists that the company did not suffer a data breach. He states that the server in question is a “development server” and that it was taken offline as soon as the security researcher reported it. Furthermore, Dick would not commit to contacting authorities about the data breach, as he maintains no sensitive data has been compromised.
Our resident security evangelist Luis Corrons comments, “People are aware of data breaches. However, we kind of “expect” that if it happens, it would involve some data that we have given voluntarily. And, of course, our phone call logs or the content of our SMS is not something we give. In fact, in many countries, just storing these SMS for years, as in this case, would violate the law even if there is not a data breach, just because it is breaking the privacy of the consumers.”
To protect your own data if it’s ever involved in a data breach, Avast strongly recommends the following:
Stay aware of your accounts. Keep an ear up for all data breach news, and take note if any companies or organizations with which you’re associated have been compromised.
Periodically search your email address in the Avast Hack Check database, which will tell you if your info is part of any darkweb list.
If you are part of a breach, change your password. It’s a good way to make sure your cybersecurity remains effective and strong. Read this article on ideas for strong passwords.