Data Breach

Million password resets and 2FA codes exposed in unsecured Vovox DB

Million of password resets and two-factor authentication codes exposed in unsecured Vovox DB.

Sébastien Kaul, a security researcher based in Berlin, has discovered a poorly secured database owned by communication firm Vovox that contained left names, phone numbers, tens of millions of SMS messages, temporary passwords, two-factor codes, shipping alerts, and other information belonging to customers of companies including Microsoft, Amazon, and Google.

It has been estimated that the exposed archive included at least 26 million text messages year-to-date.

“Although Kaul found the exposed server on Shodan, a search engine for publicly available devices and databases, it was also attached to one of Voxox’s own subdomains.reported Techcrunch.

“Worse, the database — running on Amazon’s Elasticsearch — was configured with a Kibana front-end, making the data within easily readable, browsable and searchable for names, cell numbers and the contents of the text messages themselves.”

Vovox data leakVovox data leak

Vovox promptly took down the database after TechCrunch informed the company with an inquiry.

Anyone that accessed to the database while it was exposed online could have obtained two-factor codes sent by users to access their accounts potentially exposing them to account take over.

Below TechCrunch’s findings from a cursory review of the data:

  • We found a password sent in plaintext to a Los Angeles phone number by dating app Badoo;
  • Several Booking.com partners were sent their six-digit two-factor codes to log in to the company’s extranet corporate network;
  • Fidelity Investments also sent six-digit security codes to one Chicago Loop area code;
  • Many messages included two-factor verification codes for Google accounts in Latin America;
  • A Mountain View, Calif.-based credit union, the First Tech Federal Credit Union, also sent a temporary banking password in plaintext to a Nebraska number;
  • We found a shipping notification text sent by Amazon with a link, which opened up Amazon’s delivery tracking page, including the UPS tracking number, en route to its destination in Florida;
  • Messenger apps KakaoTalk and Viber, and quiz app HQ Trivia use the service to verify user phone numbers;
  • We also found messages that contained Microsoft’s account password reset codes and Huawei ID verification codes;
  • Yahoo also used the service to send some account keys by text message;
  • And, several small to mid-size hospitals and medical facilities sent reminders to patients about their upcoming appointments, and in some cases, billing inquiries.

Kevin Hertz, Voxox’s co-founder and chief technology officer, wrote in an email that the company is “looking into the issue and following standard data breach policy at the moment,” and that the company is “evaluating impact.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Voxox, data leak)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Mozilla fixed zero-days recently demonstrated at Pwn2Own Berlin 2025

Mozilla addressed two critical Firefox vulnerabilities that could be potentially exploited to access sensitive data…

7 hours ago

Japan passed a law allowing preemptive offensive cyber actions<gwmw style="display:none;"></gwmw>

Japan passed a law allowing preemptive offensive cyber actions, shifting from its pacifist stance to…

12 hours ago

Pwn2Own Berlin 2025: total prize money reached $1,078,750

Pwn2Own Berlin 2025 wrapped up with $383,750 awarded on the final day, pushing the total…

18 hours ago

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 45

Security Affairs Malware newsletter includes a collection of the best articles and research on malware…

2 days ago

Security Affairs newsletter Round 524 by Pierluigi Paganini – INTERNATIONAL EDITION

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles…

2 days ago