Criminals were inside Syniverse for 5 years before anyone noticed

Criminals were inside Syniverse for 5 years before anyone noticed

“A global privacy disaster”, “espionage gold”, and “a state-sponsored wet dream” are just some of the comments one can read regarding the breach at Syniverse, a key player in the tech/telecommunications industry that calls itself the “center of the connected world.”

In a filing with the US Security and Exchange Commission, Syniverse said the breach affected more than 200 of its clients who have an accumulated number of cellphone users by the billions worldwide. Syniverse’s clients include Verizon, AT&T, T-Mobile, Vodafone, China Mobile, Telefonica, and America Movil, to name a few.

The company revealed that it first noticed the breach in May 2021, but that the access had begun in May 2016—a whole five years before.

According to Motherboard, who first wrote about this story, Syniverse receives, processes, stores, and transmits electronic customer information, which includes billing information among carriers globally, records about calls and data usage, and other potentially sensitive data. It processes more than 740 billion SMS messages alone per year, routing text messages between users of two different carriers (both in the US and abroad).

The filing said that “Syniverse’s investigation revealed that the individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer (“EDT”) environment was compromised for approximately 235 of its customers.”

In an email interview with Motherboard, Karsten Nohl, a security researcher is quoted saying, “Syniverse systems have direct access to phone call records and text messaging, and indirect access to a large range of Internet accounts protected with SMS 2-factor authentication. Hacking Syniverse will ease access to Google, Microsoft, Facebook, Twitter, Amazon and all kinds of other accounts, all at once.”

A telecomm industry insider, who spoke to Motherboard said: “With all that information, I could build a profile on you. I’ll know exactly what you’re doing, who you’re calling, what’s going on. I’ll know when you get a voicemail notification. I’ll know who left the voicemail. I’ll know how long that voicemail was left for. When you make a phone call, I’ll know exactly where you made that phone call from.”

“I’ll know more about you than your doctor.”

Motherboard asked Syniverse whether the hackers had accessed or stolen personal data on cellphone users, but Syniverse declined to answer. 

Syniverse said all EDT customers have had their credentials reset or inactivated, whether they were part of the breach or not. The company says no further action is required on behalf of those customers.

“We have communicated directly with our customers regarding this matter and have concluded that no additional action is required. In addition to resetting customer credentials, we have implemented substantial additional measures to provide increased protection to our systems and customers.”