Five-year breach gave hackers access to billions of text messages

Posted:
in General Discussion
A company that handles text messaging and general telecommunications infrastructure for carriers around the world has confirmed it has been hacked, with introducers potentially gaining access to some sensitive customer information for years.




Disclosed in an SEC filing on September 27, Syniverse advises an "individual or organization gained unauthorized access to databases within its network" and that its systems accessed by 235 customers had been compromised.

As Syniverse provides a communications backend, and each of those customers could be a carrier in their own right, this could involve a breach affecting hundreds of millions of people, if not billions. Syniverse declined to disclose the scale of the breach to Motherboard, nor the kind of data was affected by it.

A report source who works at a carrier offered that the types of data could include lots of metadata, such as the length and cost of a call or message, phone numbers, locations, and the content of text messages. As a common exchange hub for carriers, "it inevitably carries sensitive info like call records, data usage records, text messages, etc," the source added.

The breach is unlikely to have affected secure messaging services like iMessage due to the use of end-to-end encryption, at least for communications between users of the same service. In the case of iMessage, if the recipient isn't registered with Apple, it is handed as a text message, and so isn't as protected.

While the disclosure occurred in late September, it appears the breach lasted for many years, starting from May of 2016 and running until May 2021.

Clients of the company include AT&T, Verizon, T-Mobile, and other major firms, with it processing more than 740 billion text messages per year. With the general lack of security of SMS, security researcher Karsten Nohl says it could be a "global privacy disaster."

With direct access to phone call records and text messaging, along with indirect access to accounts protected with SMS-based two-factor authentication, "Hacking Syniverse will ease access to Google, Microsoft, Facebook, Twitter, Amazon, and all kinds of other accounts, all at once," said Nohl.

Senator Ron Wyden released a statement calling the data Syniverse handles "espionage gold" to nation states. "That this breach went undiscovered for five years raises serious questions about Syniverse's cybersecurity practices."

Wyden said that the Federal Communications Commission should look into the affair. The investigation should determine if Syniverse's policies were negligent, see if other similar companies endured similar breaches, and then to set "mandatory cybersecurity standards for this industry," said Wyden.

Read on AppleInsider

Comments

  • Reply 1 of 10
    jimh2jimh2 Posts: 425member
    Looks a good reason to stop texting to android friends. 
    viclauyycwatto_cobra
  • Reply 2 of 10
    sflocalsflocal Posts: 5,974member
    There needs to be serious consequences to companies (and their CEO's) that have a blatant disregard to the security of its users.  Security is a never-ending cost of doing business and it's obvious many don't do it.  It's almost to the point where it happens so often that people are now just accepting it as the status-quo which is the worst thing to do.
    viclauyycmuthuk_vanalingamStrangeDayswatto_cobra
  • Reply 3 of 10
    sflocal said:
    There needs to be serious consequences to companies (and their CEO's) that have a blatant disregard to the security of its users.  Security is a never-ending cost of doing business and it's obvious many don't do it.  It's almost to the point where it happens so often that people are now just accepting it as the status-quo which is the worst thing to do.
    Some boss believe it is cheap to pay $10m ransom once in awhile than pay $1m each year to do a proper security maintenance. 
    watto_cobra
  • Reply 4 of 10
    bluefire1bluefire1 Posts: 1,217member
    Thankfully we have iMessage!!
    edited October 2021 entropysScot1StrangeDaysneutrino23watto_cobra
  • Reply 5 of 10
    sflocalsflocal Posts: 5,974member
    viclauyyc said:
    sflocal said:
    There needs to be serious consequences to companies (and their CEO's) that have a blatant disregard to the security of its users.  Security is a never-ending cost of doing business and it's obvious many don't do it.  It's almost to the point where it happens so often that people are now just accepting it as the status-quo which is the worst thing to do.
    Some boss believe it is cheap to pay $10m ransom once in awhile than pay $1m each year to do a proper security maintenance. 
    There are CEO's that think this way and they should face consequences.  Even with your logic, if they have to pay $10m once every 10 years, I think paying $1m/yr on proper security practices is better as in the end the cost washes out.  Unless... they'd rather show nine years of better figures which boasts their stock price and enriches CEO's just in time when they retire/leave that job before the next ransomware hit.
    watto_cobra
  • Reply 6 of 10
    bloggerblogbloggerblog Posts: 2,238member
    sflocal said:
    There needs to be serious consequences to companies (and their CEO's) that have a blatant disregard to the security of its users.  Security is a never-ending cost of doing business and it's obvious many don't do it.  It's almost to the point where it happens so often that people are now just accepting it as the status-quo which is the worst thing to do.
    Remember the Equifax data breach when they 'failed' to update Apache Struts and their managers sold their stock right before the breach was revealed and all they got was a slap on the wrist. It makes me wonder if these 'breaches' are really breaches.
    StrangeDaysmac_dogneutrino23watto_cobra
  • Reply 7 of 10
    gatorguygatorguy Posts: 23,393member
    jimh2 said:
    Looks a good reason to stop texting to android friends. 
    Until Apple decides to support the end-to-end encrypted RCS messaging Google employs (in addition to iMessage) then an Android user who texts you will not be assured his messages are not being secretly read anymore than you sending a message to them is certified E2EE private and secure. Apple still wants to use standard insecure SMS when you text your not-registered-with-Apple contacts. 
  • Reply 8 of 10
    sflocal said:
    There needs to be serious consequences to companies (and their CEO's) that have a blatant disregard to the security of its users.  Security is a never-ending cost of doing business and it's obvious many don't do it.  It's almost to the point where it happens so often that people are now just accepting it as the status-quo which is the worst thing to do.
    Remember the Equifax data breach when they 'failed' to update Apache Struts and their managers sold their stock right before the breach was revealed and all they got was a slap on the wrist. It makes me wonder if these 'breaches' are really breaches.
    Yup… I bet someone at Syniverse has made big bucks on this ‘breach’. And what’s stopping them?
    watto_cobra
  • Reply 9 of 10
    roakeroake Posts: 783member
    Just think of this breach as a back door for the government.  I mean, you might as well.  The government back door would offer about the same level of security.
    watto_cobra
  • Reply 10 of 10
    neutrino23neutrino23 Posts: 1,558member
    Five years? This wasn't a breach. Sounds more like they had permission. 
    watto_cobra
Sign In or Register to comment.