Database Run by TrueDialog Reportedly Left Unprotected

On December 1, 2019, reported (“Millions of SMS messages exposed in database security lapse”) that “[a] massive database storing tens of millions of SMS [] text messages, most of which were sent by businesses to potential customers, has been found online.”  According to, the database of SMS messages is “. . . run by TrueDialog, a business SMS provider for businesses and higher education providers, which lets companies, colleges, and universities send bulk text messages to their customers and students.” reported that “[t]he database stored years of sent and received text messages from its customers and processed by TrueDialog. But because the database was left unprotected on the internet without a password, none of the data was encrypted and anyone could look inside.”

Some of the data reviewed by, reportedly, “contained detailed logs of messages sent by customers who used TrueDialog’s system, including phone numbers and SMS message contents,” as well as “information about university finance applications, marketing messages from businesses with discount codes, and job alerts, among other things.”

The data, according to, “also contained sensitive text messages, such as two-factor codes and other security messages, which may have allowed anyone viewing the data to gain access to a person’s online accounts.”  Further, “[m]any of the messages [] reviewed contained codes to access online medical services to obtain, and password reset and login codes for sites including Facebook and Google accounts[,] as well as “usernames and passwords of TrueDialog’s customers, which if used could have been used to access and impersonate their accounts.”

On December 1, 2019, reported (“Over 100 million Americans had their personal data exposed in major text data breach”) that “[t]he information available from the breached database not only includes tens of millions of texts from hundreds of millions of American users, it also contained millions of usernames, passwords (some in cleartext, others encoded but easy to decrypt) and more.” According to

The database is hosted by Microsoft Azure and runs in the U.S. on the Oracle Marketing Cloud. It contains 1 billion entries adding up to 604GB of data. This data includes information about TrueDialog’s business, its business clients and the latter’s customers. All of this information could have been used by bad actors to steal identities and money from those with information exposed in the breach. Additionally, all of this data could have been sold to marketers and scammers. Knowing all of this information would make it easier for bad actors to engage in phishing schemes.

Have You Been Impacted by A Data Breach?

If so, please either contact Kehoe Law Firm, P.C. Partner Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], complete the form on the right or send an e-mail to [email protected] for a free, no-obligation case evaluation of your facts to determine whether your privacy rights have been violated and whether there is a basis for a data privacy class action.

Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.

Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs.  Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.

Kehoe Law Firm, P.C.