Share this analysis

SMS marketing service leaked data now publicly and freely available.

22 August 2022
BREACHAWARE HQ
SMS

A total of 11 breach events were found and analysed resulting in 44,960,407 exposed accounts containing a total of 14 different data types of personal datum . The breaches found publicly and freely available included Apex SMS, Launch SMS, Book Crossing, Wired Bucks and Avtoto. Sign in to view the full library of breach events which includes, where available, reference articles relating to each breach.

Categories of Personal Data Discovered

Contact Data, Technical Data, Special Category, Socia-Demographic Data, Locational Data, Social Relationships Data.

Data Breach Analysis

The exposure of SMS service platforms is particularly concerning, as these companies often store contact databases, communication logs, or other metadata that could be leveraged in smishing (SMS phishing) attacks or mass spam campaigns. A compromise here doesn’t just affect platform users, it could ripple out to anyone in their contact lists or campaigns.

Book Crossing, a community-driven book sharing and tracking platform, illustrates how even hobby-oriented services can be a liability if data is not adequately secured. Though it may appear niche, the volume of exposed data suggests sustained user engagement over time.

The breach involving Avtoto, likely linked to automotive classifieds or services, poses risks for users who may have shared location, vehicle, or transaction-related details, raising the threat of fraud, impersonation, or targeted scams.

For organisations, these events underscore the urgency of ensuring data protection not only for customer data but also across integrated services and communication channels. When breached, such services become tools for further exploitation, affecting both individual privacy and enterprise trust.

Spotlight

First up, Wiredbucks who market themselves as a social media influencer site where you invite your friends and get rich quick. In reality, none of those things actually happen. It's a data harvesting website that offers a free phone if you give up your credit card details. With over 900k users signed-up, the admins of the site must have thought it was going rather well until a SQL dump of their site appeared on a popular underground forum several days ago, which was then quickly de-hashed by some other members of the hacking community. There are now 900,000 wired-bucks user email addresses and plain text passwords in circulation.

A London court has rejected the U.S. government's attempt to keep the operator and administrator of the marketplace RaidForums in prison while he awaits an extradition hearing. Raid Forums was one of the top hacking forums, which offered a great place for threat actors to hand out and gave a solid platform for the sale of stolen and public data to the underground community. It was shut down and seized by the US law enforcement last year.

And finally, a bulk SMS marketing service, which was breached several years ago (2019) has just made an appearance online, publicly and freely available. The site in question advertises a bulk SMS service and portrays itself as legitimate, saying its services could be used for reminders to minimise missed appointments for the service industry or "sending engaging marketing campaigns."

We don’t know if it's just us, but we've have never received 'engaging marketing' via SMS. However they do, we think they are more of bulk SMS spam company with the infrastructure to send out tens of thousands of SMS messages a day. A range of datasets were disclosed in the breach, and a whopping 26 million unique email addresses and mobile phone numbers were also included, along with IP addresses.

  • Key Stats
  • BREACH EVENTS
    0
  • EXPOSED ACCOUNTS
    0
  • EXPOSED DATUM TYPES
    0