AppleInsider is supported by its audience and may earn a commission when you buy through our links. These affiliate partnerships do not influence our editorial content.
A company that manages text messaging and general telecommunications infrastructure for carriers around the world has confirmed that it has been hacked, with introducers potentially having access to certain sensitive customer information for years.
Disclosed in a SEC filing On September 27, Syniverse reported that an “individual or organization has gained unauthorized access to databases on its network” and that its systems, which 235 clients have accessed, had been compromised.
Since Syniverse provides a communications backend, and each of those customers could be a full-fledged operator, this could involve a breach affecting hundreds of millions of people, or even billions. Synverse refused to disclose scale of the violation to Motherboard, nor the data type has been affected.
A report source who works at an operator suggested that data types could include a lot of metadata, such as the length and cost of a call or message, phone numbers, locations, and content. text messages. As a common clearinghouse for operators, “it inevitably contains sensitive information such as call records, data usage records, text messages, etc.,” the source added.
The breach is unlikely to have affected secure messaging services like iMessage due to the use of end-to-end encryption, at least for communications between users of the same service. In the case of iMessage, if the recipient is not registered with Apple, it is delivered as a text message and therefore not as protected.
Although the disclosure took place at the end of September, it appears that the breach lasted for many years, starting in May 2016 until May 2021.
The company’s customers include AT&T, Verizon, T-Mobile and other large corporations, which process more than 740 billion text messages a year. With the general lack of SMS security, security researcher Karsten Nohl says it could be a “global privacy disaster.”
With direct access to phone call recordings and text messaging, as well as indirect access to accounts protected by SMS-based two-factor authentication, “Syniverse hack will make it easier to access Google, Microsoft, Facebook , Twitter, Amazon and all kinds of other accounts all of a sudden, ”Nohl said.
Senator Ron Wyden issued a statement calling the data Syniverse manages “spy gold” for nation states. “The fact that this breach was not discovered for five years raises serious questions about Syniverse’s cybersecurity practices.”
Wyden said the Federal Communications Commission should look into the case. The investigation is expected to determine whether Syniverse’s policies were negligent, see if other similar companies have suffered similar violations, and then set “mandatory cybersecurity standards for this industry,” Wyden said.