Getty Images
350M Voicemails, Health Details Exposed by Misconfigured Database
A trove of 10 data collections owned by vendor Broadvoice was left exposed online without password protection, compromising 350 million voicemails, some including health information.
Comparitech researchers discovered a trove of Broadvoice databases containing more than 350 million customer records, including names, contact details, and in some cases, sensitive health information, stored online without the need for password authorization to gain access.
Broadvoice is a cloud-based Voice over IP telecommunications vendor for a range of US businesses. On October 1, security expert Bob Diachenko, working on behalf of Comparitech, found the exposed data, owned by Broadvoice. It was the date the database was first indexed by the Shodan.io search engine.
The database was part of an unprotected Elasticsearch cluster and contained 10 data collections, such as one database storing hundreds of thousands of voicemails that discussed sensitive matters, including details on medical prescriptions and financial loans.
The largest subset held more than 275 million records containing full caller names, caller identification numbers, phone numbers, states, and cities. Another collection included 2 million voicemail records, of which at least 200,000 included transcripts.
Most of those records included caller names, such as individuals or business names, phone numbers, a name or identifier for the voice mailbox, like a first name or general label, including “clinical staff” or appointments,” and internal identifiers.
“Many of the transcripts included select personal details such as full name, phone number, and date of birth, as well as some sensitive information,” researchers wrote. “For example, some transcripts of voicemails left at medical clinics included names of prescriptions or details about medical procedures.”
“In one transcript, the caller identified themselves by their full name and discussed a positive COVID-19 diagnosis,” they added. “A collection entitled ‘people-production’ appeared to contain account details for Broadvoice users.... It appears that most, if not all, of the exposed data pertains to users of XBP, a platform that Broadvoice acquired several years ago.”
Diachenko quickly reached out to Broadvoice to responsibly disclose his discovery and received an automated reply in response, with no further correspondence. The database was secured three days later on October 4.
The company’s CEO Jim Murphy called the database “a subset of b-hive data” that had been inadvertently stored, unsecured, from September 28 until it was secured several days later. Broadvoice has since launched an investigation and ensured the data was secured, in addition to alerting federal law enforcement.
Murphy added the company is “working with the security researcher to ensure that the data he accessed is destroyed,” and are working with a third-party forensics firm to analyze the data, as well as the scope of the incident.
“The leaked database represents a wealth of information that could help facilitate targeted phishing attacks,” researchers explained. “In the hands of fraudsters, it would offer a ripe opportunity to dupe Broadvoice clients and their customers out of additional information and possibly into handing over money.”
“For example, criminals could pose as Broadvoice or one of its clients to convince customers to provide things like account login credentials or financial information,” they added. “Of particular concern here are the details in some of the voicemail transcripts. Information about things like medical prescriptions and loan enquiries could be used to make messages extremely convincing and persuasive.”
The discovery of the data is particulary concerning, as previous Comparitech research found hackers begin targeting online databases only hours after the initial setup process. Further, inadvertently unsecured or misconfigured databases can be compromised in just over eight hours.
Many hackers leverage IoT search engines like Shodan.io or BinaryEdge, often attacking the exposed databases they find just minutes after being indexed by the search engines. Attackers can use this data to send emails, text messages, or phone calls to potential victims asking for more personal information.
Meanwhile, cybercriminals can leverage leaked insurance policy numbers and financial loan inquiries without the need to phish victims.
“When we discover unsecured data, we determine what information is exposed, who it pertains to, who is responsible for it, and what the potential impact of the exposure could be,” researchers explained. “We then work quickly to inform responsible parties of the data leak so that the information can be secured.”
“Then, in order to help raise awareness of data exposures in general and inform affected parties of this particular incident, we publish a report,” they added. “Our aim is to have the data secured and all relevant parties informed as quickly as possible to minimize the potential damage caused.”