Five-year breach gave hackers access to billions of text messages

A company that handles text messaging and general telecommunications infrastructure for carriers around the world has confirmed it has been hacked, with introducers potentially gaining access to some sensitive customer information for years.

Disclosed in an SEC filing on September 27, Syniverse advises an "individual or organization gained unauthorized access to databases within its network" and that its systems accessed by 235 customers had been compromised.

As Syniverse provides a communications backend, and each of those customers could be a carrier in their own right, this could involve a breach affecting hundreds of millions of people, if not billions. Syniverse declined to disclose the scale of the breach to Motherboard, nor the kind of data was affected by it.

A report source who works at a carrier offered that the types of data could include lots of metadata, such as the length and cost of a call or message, phone numbers, locations, and the content of text messages. As a common exchange hub for carriers, "it inevitably carries sensitive info like call records, data usage records, text messages, etc," the source added.

The breach is unlikely to have affected secure messaging services like iMessage due to the use of end-to-end encryption, at least for communications between users of the same service. In the case of iMessage, if the recipient isn't registered with Apple, it is handed as a text message, and so isn't as protected.

While the disclosure occurred in late September, it appears the breach lasted for many years, starting from May of 2016 and running until May 2021.

Clients of the company include AT&T, Verizon, T-Mobile, and other major firms, with it processing more than 740 billion text messages per year. With the general lack of security of SMS, security researcher Karsten Nohl says it could be a "global privacy disaster."

With direct access to phone call records and text messaging, along with indirect access to accounts protected with SMS-based two-factor authentication, "Hacking Syniverse will ease access to Google, Microsoft, Facebook, Twitter, Amazon, and all kinds of other accounts, all at once," said Nohl.

Senator Ron Wyden released a statement calling the data Syniverse handles "espionage gold" to nation states. "That this breach went undiscovered for five years raises serious questions about Syniverse's cybersecurity practices."

Wyden said that the Federal Communications Commission should look into the affair. The investigation should determine if Syniverse's policies were negligent, see if other similar companies endured similar breaches, and then to set "mandatory cybersecurity standards for this industry," said Wyden.