Welcome back from the holiday, Americans! Here's who leaked data while you were away

TrueDialog, Mixcloud, Magento Marketplace expose accounts

By Shaun Nichols in San Francisco


Thanksgiving is an ideal time to either hack (IT admins need holidays too) or to drop news of hacks (because no one's reading much news) so here's your roundup of the weekend's shenanigans.

In the past few days, researchers have disclosed breaches at mobile carrier TrueDialog, music streamer MixCloud, and Adobe's Magento Marketplace service. Millions of people are thought to be affected.

TrueDialog exposes "massive" activity database

The research team at VPNmentor took credit for the discovery and disclosure of a database owned by business comms provider TrueDialog. They report that the data of millions of users, including the content of SMS messages, was left out in the open after an Azure-hosted database was mistakenly set to public availability.

"This was a huge discovery, with a massive amount of private data exposed, including tens of millions of SMS text messages," reported the VPNmentor team.

"Aside from private text messages, our team discovered millions of account usernames and passwords, PII data of TrueDialog users and their customers, and much more."

TrueDialog provides SMS services to its customers, mostly businesses and educational institutions. The Texas-based company partners with phone carriers to offer things like alerts and large-scale marketing campaigns, as well as campus alerts and student admissions.

Those are the sort of SMS communications that were exposed, along with account details (email addresses, passwords in either plaintext or base64,) and contact information. VPNmentor says that, in total, the exposed database was 604GB in size and included data on tens of millions of people.

"It’s difficult to put the size of this data leak into context. Tens of millions of people were potentially exposed in a number of ways," the report reads.

"It’s rare for one database to contain such a huge volume of information that’s also incredibly varied."

TrueDialog confirmed the incident to The Register and said that while it is still investigating, currently it is believed that VPNmentor's team were the only people to spot the database before it was pulled from the public.

"We were notified on Thursday that for a short period text message logs between our business customers and individuals were potentially accessible on one of our Azure servers," CEO John Wright told El Reg.

"The data was located at a non-published network port which is now secured. We have internally found no evidence that the data was downloaded or viewed by anyone other than the security analyst who notified our company that the data was potentially accessible."

MixCloud punter profiles put up for sale

UK music streaming service MixCloud is said to be investigating after it was reported that the details on 21 million users are being flagged for sale on the dark web.

Just what could be done with this pilfered data (usernames, email addresses, hashed passwords) isn't quite clear. The passwords are said to have been securely encoded, and no payment data is included.

Still, those who have a Mixcloud account will want to change up their password and if those credentials were re-used on other sites (don't do this) those logins should also be updated.

Adobe warns of Magento Marketplace breach

Recently, Adobe began notifying developers on its Magento Marketplace plug-in store that someone had managed to break into a system containing account details, but no payment card information.

Russian bloke charged in US with running $20 million stolen card-as-a-service online souk


"On November 21, we became aware of a vulnerability related to Magento Marketplace. We temporarily took down the Magento Marketplace in order to address the issue," Magento said in announcing the incident.

"The Marketplace is back online. This issue did not affect the operation of any Magento core products or services."

The exposed data included name email address, account name, billing/shipping address, and, in some cases, the percentage of plug-in sales that Magento had paid out to third-party developers. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Take a dip in our joint data lake, 'seamlessly' hoover up intel on customers – Microsoft, SAP and Adobe

Tech trio put Accenture, EY, WPP on advisory council for 'Open Data Initiative'

It is with a heavy heart that we must report that your software has bugs and needs patching: Microsoft, Adobe, SAP, Intel emit security fixes

Patch Tuesday And Google drops a zero-day on Windows after deadline miss

Don't be so Maduro: Adobe backs down (a little) on Venezuela sanctions blockade

Media giant says it can now pay back subscription fees

Hot patches for ColdFusion: Adobe drops trio of fixes for three serious flaws

While you're at it, fix Java too

VMware has a Pivotal moment in its quest to be 'leading enabler of Kubernetes'

Shopping spree means all roads lead to K8s for Virtzilla

Windows 10 update panic: Older VMware Workstation Pro app broken

Desperate users tinkering with compatibility system to get up and running again

Google becomes third major cloud vendor to tie the knot with VMware

More cloud polygamy for Dell EMC's Virtzilla

Intel, Microsoft, Adobe release a swarm of bug fixes to ruin your week

Massive patch dump with 112 fixes... and that's just for the Photoshop giant

VMware now officially supported on Azure. We repeat: VMware now supported on Azure

Dell World 'Member when Microsoft tried this in 2017? It didn’t go well...

Creative cloudy types still making it rain cash for Adobe

Maker of cloudy PDF and services software ... yes, that's Perpetually Dosh Forming


Reduce Redis Enterprise Deployment Cost, Complexity with Intel Optane DC Persistent Memory

Intel has prepared this Optane DC persistent memory kit to help you reduce Redis Enterprise deployments cost and complexity with 2nd generation Intel Xeon scalable processors and Intel Optane DC persistent memory.

Faster Response with CrowdStrike and MITRE ATT&CK

Today’s threat landscape has created new challenges for security analysts and incident responders.

Security Advisory: Is Your Enterprise Data Being "Phoned Home"?

This report provides four real-world examples of vendors “phoning home” data in an unauthorized manner, observed by ExtraHop customers in 2018 and the first weeks of 2019.

63% Say Networks are Wrecking Office 365 Collaboration

TechValidate, on behalf of Zscaler, conducted a survey of 250 U.S. and European organizations that had deployed Office 365.