VoIP Firm Broadvoice Leaks 350 Million Customer Records

A US-based VoiP provider has been found leaking over 350 million customer records, after a configuration error left several online databases exposed.

Researcher Bob Diachenko found the unprotected Elasticsearch database clusters belonging to Broadvoice on October 1.

The trove of 10 databases included one containing more than 275 million records. It featured full caller name, identification number, phone number, state and city.

Perhaps more dangerous from a privacy perspective was another collection of over two million records that included names, phone numbers and, for 200,000 records, call transcripts.

According to Comparitech, which worked with Diachenko on the case, some of these transcripts themselves contained sensitive details such as voicemails left at medical clinics and financial services firms.

Comparitech claimed most of the data belongs to Broadvoice XBP customers.

“The leaked database represents a wealth of information that could help facilitate targeted phishing attacks. In the hands of fraudsters, it would offer a ripe opportunity to dupe Broadvoice clients and their customers out of additional information and possibly into handing over money,” Comparitech argued.

“For example, criminals could pose as Broadvoice or one of its clients to convince customers to provide things like account login credentials or financial information.”

Some exposed data, such as insurance policy numbers and financial loan details, could even be used to attempt identity fraud without the need for further phishing, it added.

However, Broadvoice reacted relatively quickly to the notification on October 1, fixing the privacy snafu by October 4.

The firm’s CEO, Jim Murphy, claimed the data had been “inadvertently” stored in an unsecured database on September 28, and said that law enforcement has been informed and an investigation has been launched.

“At this point, we have no reason to believe that there has been any misuse of the data,” he continued.

“We are currently engaging a third-party forensics firm to analyze this data and will provide more information and updates to our customers and partners. We cannot speculate further about this issue at this time. We sincerely regret any inconvenience this may cause.”

What’s Hot on Infosecurity Magazine?