On July 2, 2024 we received a notice from Twilio, our SMS provider, about a data leak involving IdentifyMobile, one of their downstream carriers. The downstream carrier had made an AWS S3 bucket public from May 10-15, 2024. The bucket contained message-related data sent between January 1, 2024, and May 15, 2024.
After requesting additional information, Twilio informed us that the leak included 13 SMS notifications sent by Healthchecks.io. The leaked data includes message body, recipient number, timestamp. Unfortunately Twilio could not determine which specific recipient numbers were impacted, but they knew only messages to France and Italy were impacted. On July 5, we notified all users with phone numbers in the affected regions, 40 accounts.
Q: I received “Notice of Security Incident With SMS Notifications” from Healthchecks. Is there anything I should do?
Your Healthchecks.io account is not compromised, no need to change its password.
You could consider switching from SMS to a different notification method which does not require your phone number, for example Pushover. No service is immune to security incidents, but if they do not have your phone number in the first place, they cannot leak it.
Q: Why did you notify 40 accounts if only 13 messages were exposed?
Twilio provided a list of exposed message IDs, but not the associated phone numbers. We cannot associate message IDs with phone numbers, because we have configured our Twilio account to retain message logs for only 7 days. We had selected the relatively short log retention period, ironically, to minimize the damage in case the message logs somehow leaked.
We asked Twilio support to request the recipient phone number data from IdentifyMobile, as they presumably still have access to the data that was exposed. According to Twilio, IdentifyMobile are “currently unable to share the requested information due to the sensitive nature of it”.
Timeline
- May 10, 2024: IdentifyMobile makes AWS S3 bucket containing sensitive data public.
- May 15, 2024: IdentifyMobile fixes the leak.
- July 2, 2024: Twilio sends a notice of security incident to its customers.
- July 3, 2024: We request additional information from Twilio support.
- July 4, 2024: Twilio support clarifies what information was exposed, and provides a list of the 13 exposed message IDs.
- July 5, 2024: We send a notice of security incident to the 40 potentially affected users.
- July 5, 2024: We ask Twilio support to request recipient numbers from IdentifyMobile. On the 3rd attempt, Twilio agrees to do it.
- July 10, 2024: Twilio support informs us IdentifyMobile cannot share the requested information.
- July 11-16, 2024: We ask Twilio support followup questions about plans to audit their other carriers and sub-carriers, and receive non-specific answers.
- July 19, 2024: We publish this report.