IdentifyMobile incident exposed 200M records from hundreds of companies
Imagine someone gaining access to your online banking account, your private email, or your social media profiles. Despite your efforts to secure these accounts with both a password and an additional one-time password sent via SMS, this disturbing scenario is unfortunately possible.
The issue stems from the British bulk SMS provider IdentifyMobile, which handles a substantial volume of SMS traffic daily for numerous major clients. Many of these messages are part of two-factor authentication (2FA) processes, which add an extra layer of security by sending a second authentication factor via SMS.
However, the Chaos Computer Club (CCC) discovered a critical security lapse. Since August 2023, every SMS IdentifyMobile sent on its clients’ behalf was stored on an unsecured Amazon Web Services (AWS) S3 server. This server was accessible to anyone who knew its web address, with no passwords or encryption to protect the data. This significant oversight exposed sensitive information, making it vulnerable to unauthorized access and potential misuse.
Twilio recently alerted users to a security incident involving one of its third-party carriers – iBasis, via IdentifyMobile. Contrary to our initial report a week earlier, new revelations from the CCC indicate that the breach exposed more sensitive data than Twilio initially disclosed.
/cdn.vox-cdn.com/uploads/chorus_asset/file/23951575/VRG_Illo_STK192_L_Normand_LinaKhan_Neutral.jpg)
