Five-Year Syniverse Data Breach May Have Leaked Trillions Of Mobile User Text Messages

syniverse leak story topimage2

Most people probably don't know this, but the big service providers like T-Mobile, AT&T, and Verizon contract out to third-party services to help with transmitting SMS text messages, both between carriers and abroad. One of the largest of those companies is called Syniverse, and it handles text messages sent using the above-mentioned services, as well as international companies like Vodafone, China Mobile, Telefonica, and America Movil.

A week ago, Syniverse filed a statement with the US Securities & Exchange Commission (SEC) that reveals that "an unknown individual or organization gained unauthorized access to databases within its network on several occasions, and that login information [...] was compromised for approximately 235 of its customers." 235 customers doesn't sound like a big deal, but remember that Syniverse's customers are not end-users, they're networks.

Reporting on the filing, Vice quotes its unnamed sources as saying that whoever hacked Syniverse "could have had access to metadata such as length and cost, caller and receivers' numbers, the location of parties in the call, as well as the content of SMS text messages." That's pretty concerning given that the unauthorized access to Syniverse's servers supposedly started way back in 2016. By its own account, Syniverse handles over 700 billion text messages every year; the amount of data available could be enough to build a detailed profile of a person's behavior and activites.

syniverse map slide inline
Source: Syniverse

U.S. Senator Ron Wyden (D-OR) told Motherboard that "the information flowing through Syniverse's systems is espionage gold," and he may be right. Many people fall back to SMS text messaging for private matters, seeing it as a more secure channel than messaging over services owned by Google, Facebook, and other companies. Senator Wyden goes on to say that he wants Syniverse's breach thoroughly investigated, and to have the FCC mandate cybersecurity standards for the industry.

For its part, Syniverse's response to a request for comment was focused on the potential effects to the company's material value, stating that it "does not anticipate these events will have any material impact" on its operations or services. The company's response is unsurprising in the face of the fact that it is currently planning to go public by way of a merger with M3-Brigade Acquisition II Corp.

Little has been said so far by anyone on the possible impact of this breach on the public at large, but given the frequency of security breaches like this, those effects may be hard to pin on any one particular incident. For now, we'd probably recommend switching to a secure messaging app (like Signal) for any sensitive messages.