Major SMS routing company admits it had been hacked for five years

Major SMS routing company admits it had been hacked for five years

A company that routes billions of text messages around the world every year recently (and quietly) revealed that someone had unauthorized access to its systems for five years. They aren’t saying what information was accessed or if any text messages were exposed.

Syniverse is used by mobile carriers like Verizon, T-Mobile, and AT&T to route SMS text messages. Late last month it sent a filing to the US Securities and Exchange Commission to propose merging with another company. The filing is hundreds of pages long, but tucked away in the section laying out the risks Syniverse brings to the merger, near the bottom of page 69, is an admission that it was hacked in 2016 and didn’t find out about it until earlier this year.

The filing describes an incident in May 2021, which is when Syniverse became aware that an unknown entity had accessed its operational and information systems. An investigation revealed that they had accessed Syniverse’s systems several times between May 2016 and May 2021, compromising the login information for 235 of its Electronic Data Transfer (EDT) customers.

In the filing, Syniverse says it “promptly” contacted law enforcement, legal council, and the affected customers. While it says it didn’t detect any attempt to monetize or otherwise misuse the accessed data, Syniverse says it can’t be sure it won’t uncover more evidence related to the hack in the future. Syniverse also says it updated its systems after finding out about the hack, but didn’t go into detail as to how.

According to Ars Technica, neither Syniverse, Verizon, T-Mobile, nor AT&T have given any more information on the potential for compromised SMS messages. Vice’s Motherboard section also hasn’t gotten any more information from Syniverse, but their sources tell them anyone who accessed Syniverse’s systems could’ve gotten to extensive information about calls including length, phone numbers, location data, and SMS message content. The infiltrator could’ve gotten that information for millions of customers worldwide during those five years.

As an example of how wide-reaching Syniverse is, in 2019, over 100,000 text messages were delayed by months because one of their servers failed. When the server was reactivated, Valentines Day messages ended up being delivered in November.