Russian Megafon posts thousands of customer SMS to the open Web
When Google was just getting started and some companies didn’t have enough experience to keep their customer data really private, all kinds of interesting things used to end up on the Web. Including personally identifiable information, medical records and credit card numbers.
Eventually things did get better, but sometimes we still get an interesting data breach or two. And today we got a major one.
Somehow, Russian mobile operator Megafon managed to get at least some of it’s customer SMS – complete message texts, tied to the actual phone numbers – in to the index of Russian search engine Yandex.ru. If you type a certain query “url:www.sendsms.megafon.ru* | url:sendsms.megafon.ru*” into a search box there private customer SMS start popping up.
The amount of the messages made public does not seem to be very big. Yandex search returns 8765 results for the query, and, given the total amount of SMS going out on your average mobile network, that’s probably a fractions of a percent of the total.
But the nature of the breach – full text of the SMS and the mobile number from which it was sent – makes this one really bad. A quick skim of the results shows tons of “I love you” notes, break-up messages, gossip about others and what not, which could cause a lot of grief to the sender if seen by someone else.
The messages that made it into Yandex, were sent via Megafon’s SMS Web Interface sendsms.megafon.ru
Update: Megafon admitted to SMS leak, confirming that no phone-to-phone messages were leaked. Which means that SMSs sent only via Megafon Web interface were affected. According to Megafon, the “situation is now under control” and leaked information has now been removed fro Yandex. However there are reports that users are still finding public SMS messages in regional Yandex caches in some parts of Russia.
Hat tip to @eldarmurtazin