Broadvoice Leak Exposes 350M Records, Personal Voicemail Transcripts

  • Providers that use Broadvoice’s cloud-primarily based VoIP system may possibly locate their individuals, prospects, suppliers and partners to be impacted by a large info exposure.

    Broadvoice, a perfectly-known VoIP service provider that serves little- and medium-sized businesses, has leaked a lot more than 350 million consumer data related to the company’s “b-hive” cloud-centered communications suite.

    The info features hundreds of hundreds of voicemail transcripts, lots of involving delicate information this sort of as information about health care prescriptions and money loans.

    Broadvoice provides a person of the much more preferred company platforms for communications, which includes voice, get in touch with-centre technology, distant-workforce assistance, integration, unified communications, SIP trunking and extra. Substantially of this is provided by way of b-hive, which it hosts on behalf of clients these types of as doctors’ places of work, law companies, retail outlets, local community organizations and extra.

    Due to the fact its technology underpins these customers’ simple interactions with sufferers, purchasers, associates, suppliers and other folks, a great deal of individual info flows through Broadvoice’s cloud-primarily based programs. And that knowledge is apparently retained by the firm, so that its small business consumers can obtain it if needed.

    Sadly, in accordance to scientists at Comparitech, Broadvoice left an Elasticsearch database cluster that contains these data open to the internet, accessible to any person, with no authentication demanded. The cache of facts included records with private details of Broadvoice clients’ shoppers, they noted.

    The misconfigured cluster incorporated 10 separate collections of info, connected to b-hive.

    The biggest assortment (275 million information) involved complete caller title, caller ID, phone amount, and metropolis and state. In the meantime, a collection entitled “people-production” contained account ID numbers for Broadvoice’s have customers, which authorized researchers to cross-reference entries with data in other collections.

    But the most relating to 1 held 2 million voicemail data, with much more than 200,000 transcripts.

    “Many of the transcripts incorporated pick out individual specifics these types of as comprehensive identify, phone number and day of delivery, as effectively as some delicate facts,” in accordance to a Comparitech submitting on Thursday. “For example, some transcripts of voicemails remaining at health care clinics involved names of prescriptions or details about healthcare processes. In one particular transcript, the caller recognized on their own by their full identify and talked about a positive COVID-19 analysis.”

    Scientists added, “Other voicemails still left for economical-provider businesses included facts about mortgages and other loans, even though there was at minimum 1 occasion of an insurance-plan quantity staying disclosed.”

    Most of these records also contained a total name, organization identify or a generic title such as “wireless caller” phone amount a name or identifier for the voice mailbox (this kind of as “appointments”) and internal identifiers, in accordance to Comparitech.

    Aside from the privacy implications, the details paves the way for convincing fraud tries, researchers famous.

    “The leaked database represents a wealth of info that could aid facilitate focused phishing assaults,” the firm observed. “In the palms of fraudsters, it would present a ripe opportunity to dupe Broadvoice clients and their consumers out of further details and quite possibly into handing over income. For example, criminals could pose as Broadvoice or a person of its clients to persuade prospects to provide points like account login qualifications or economic info.”

    In the meantime, “information about points like professional medical prescriptions and bank loan enquiries could be utilized to make messages very convincing and persuasive.”

    The collections have been identified by researcher Bob Diachenko on Oct. 1, and were being secured the same working day, according to Broadvoice. The cluster experienced been uploaded on Sept. 28, meaning it was uncovered for about four days.

    “Broadvoice will take details privacy and security significantly,” Broadvoice CEO Jim Murphy claimed in a statement. He extra, “At this position, we have no reason to believe that there has been any misuse of the details. We are presently participating a 3rd-celebration forensics organization to review this knowledge and will present far more info and updates to our prospects and companions. We can’t speculate even further about this issue at this time.”

    He also claimed that Broadvoice is doing work with Diachenko to make certain that the retained knowledge is destroyed.

    Threatpost has attained out to Broadvoice to ask about its details-retention guidelines, and irrespective of whether its business enterprise prospects will be issuing details-breach notifications to their individual affected prospects.