Unprotected VOIP Server Exposes Millions of Call Logs and SMS Messages

A California-based Voice-Over IP (VOIP) services provider has accidentally left tens of gigabytes of its customer data, containing millions of call logs, SMS/MMS messages, and plaintext internal system credentials, publicly accessible to anyone without authentication. VOIPo is one of the leading providers of VOIP services in the US offering reseller VoiP, Cloud VoiP, and VoiP services to residential and small businesses.

VOIPO’s CTO was notified of an exposed ElasticSearch database discovered via Shodan search engine that contained at least 4 years worth of customer data. The database contained 6.7 million call logs dating back to July 2017, 6 million SMS/MMS logs dating back to December 2015, and 1 million logs containing API key for internal systems. The server was said to be a development server that had accidentally been left publicly accessible, but the database contained ‘valid data’ which means real production data, without specifying which data was allegedly development data and which was production data.

This is the second time this month when a large database containing millions of user records has been found open to the world.