Unprotected MongoDB database leaks over 80 million records belonging to an SMS marketing firm ApexSMS

  • The leaky database also kept a track of users who clicked on messages through Grand Slam Marketing, another small advertising company.
  • The data exposed in the incident includes MD5-hashed emails, IP addresses, Phone numbers, and ZIP codes.

ApexSMS Inc., an SMS text marketing company that also does business under the name of Mobile Drip, has suffered a data breach due to an unprotected MongoDB database. The unguarded database has exposed a total of 80,055,125 records belonging to the firm.

What data was involved?

According to the security researcher Bob Diachenko, the database contained a massive amount of data related to an SMS operation center with “one of the most prominent folder called ‘leads’”.

The exposed records include:

  • MD5 hashed email
  • First/last name
  • City/state/country/zip
  • IP address
  • Phone number
  • Carrier network for mobile
  • Line type (mobile or landline)

What are the other interesting facts?

Upon further investigation, Diachenko found that ApexSMS Inc. undertakes so-called SMS Bombing campaigns. SMS bomber is a software program that duplicates the same message multiple times or creates unique messages before sending them to specific phone numbers.

SMS Bombing is usually used for pranks, harassment or marketing campaigns. It is highly advertised on hacker or black hat forums. ApexSMS spammed millions of cell phone numbers with a variety of messages while pushing their victims to dozens of different scam sites.

TechCrunch reported that around 2.1 million users had fallen victim to these scammed sites which were sent as SMS through toll-free phone numbers.

Which scammed sites are involved?

The leaky database also kept a track of users who clicked on messages through Grand Slam Marketing, another small advertising company. The company’s name came to the light through a scam site named ‘premium partner’

Another scam site copytm.com contained hidden code that stole users’ names, email addresses, phone numbers, and IP addresses. The stolen data was submitted to ApexSMS spam database.

Apart from storing scammed sites, the database also kept a record of SMS replies from users.

What actions have been taken?

TechCrunch has reported the issue to Mobile Drip which later responded by saying that it has engaged an outside legal firm to investigate the matter.

“We take compliance and data security very seriously, and we are currently investigating to determine to what extent our information has been exposed to unauthorized parties. We have currently engaged an outside legal firm to assist with our investigation of this matter and we are also engaging a cybersecurity firm to perform a security audit,” said the company.

Although it is unclear as for how long the database was left open on the internet, Diachenko has revealed that the misconfigured database has been quietly secured days after the initial reporting.