Posted on October 5, 2021 at 4:38 PM

Breach on Syniverse has Stolen Voluminous User Data for Five Years

Hacking attacks have been on the rise in recent months. The recent hack was against Syniverse, a firm dealing in text messages and general telecommunications frameworks for different mobile carriers globally.

Syniverse has confirmed that it was recently hacked and that the intruders in question gained access to sensitive user information. The hackers infiltrated these sensitive details for several years.

235 Customer Details Compromised

Syniverse made this admission through a filing with the SEC on September 27. In the fining, the company stated that “an individual or organization gained unauthorized access to databases within its network.” following this attack, the databases of around 235 customers were compromised.

Syniverse offers a communication backend. Hence, each of the customers affected by this hack could also be carriers or additional bugs. This case shows that the attack could have led to a breach that affected hundreds of millions of people. The number of affected users could also run into the billions, given the massive clientele base of this company.

However, the details that have been shared with publications about this hack have been limited. In responses to these firms, Syniverse failed to state the extent to which the breach was conducted or the type of data affected during the breach.

However, sources from personnel working with the carrier company have given clues about the type of data affected during this breach. The breach affected a broad spectrum of metadata, including the duration and cost of a call or text message, user phone numbers and locations. The hackers could even read the content of the text messages, demonstrating that the scope of the breach during this attack was massive.

Given the type of services that this firm offers, it shows that the hackers had access to substantial information that could otherwise compromise operations. The source from the firm states that “it inevitably carries sensitive info like call records, data usage records, text messages”, given that it is a major exchange hub for information among users.

Not all Messaging Services were affected

Not all phone messaging functions were affected during this breach. The information of iOS users was protected from finding its way into the hackers’ hands because iMessage comes with end-to-end encryption that prevents the content of these messages from being compromised by third parties.

Nevertheless, not all iPhone users were protected from this hacking attack because those who communicated with android devices ended up compromising the privacy of their messages. With iMessage, the only way the user was protected was to send messages to another Apple device. However, if the recipient does not use an Apple device, the content of their text messages will not be protected from these data breaches.

The details of this hack were only exposed towards the end of last month. However, it looks as if the breach occurred for several years, starting from May 2016 to May 2021. This further extends the number of users whose information was compromised during this period by the hackers.

Syniverse is also a telecommunication service provider that is used by multiple companies. Among the firm’s clients includes AT&T, T-Mobile, Verizon and other leading global firms. Furthermore, the firm has also processed over 740 billion text messages annually, demonstrating that the extent of this breach could be a major crisis.

SMS lacks privacy features, which has made these messaging platforms susceptible to hackers. According to Karsten Nohl, a security researcher, this breach could result in a “global privacy disaster” given the voluminous amount of data the hackers had access to.

Nohl further added that “Hacking Syniverse will ease access to Google, Microsoft, Facebook, Twitter, Amazon and other kinds of other accounts all at once.” This follows the argument that SMS platforms leave users vulnerable because text messages are not the only ones affected, as there is also the issue with SMS-based two-factor authentication processes. Besides, the hacks also allowed the users to have direct access to the phone call records of users.

This hacking attack has also attracted the attention of politicians, with US Senator Ron Wyden stating that the data that the breach was able to access as “espionage gold” to foreign states. “That this breach went undiscovered for five years raises serious questions about Syniverse’s cybersecurity practices,” Wyden added.

Wyden further called for the Federal Communications Commission to investigate the matter. These investigations will help to determine whether the hack happened because Syniverse’s policies were negligent or if there are other companies operating in this niche that are also dealing with the same type of breaches that are going undetected. Wyden also called for “mandatory cybersecurity standards for this industry.”