An advertisement has appeared on the darknet for the sale of three terabytes of data, allegedly stolen from two major Russian SMS aggregators, SecurityLab reports. The seller claims that the leak contains names, phone numbers, IP addresses, bank messages, activation codes, and other confidential information.
To confirm his words, the attacker attached a link to a file-sharing service and contacts in Telegram, Signal, and email messengers. There is no official confirmation of the incident yet.
Experts note that such an attack poses a threat to the supply chain of digital services. Through SMS channels, thousands of applications transmit one-time codes, PIN codes, password reset links, and notifications. Intercepting this data opens the way to mass hijacking of user accounts — from mail and banks to messengers and crypto services. A similar incident in 2022 with Twilio affected 163 companies and about 1900 Signal accounts.
In addition to direct access to 2FA codes, attackers can send messages from trusted names and short codes (short code / alpha-ID), bypassing filters and creating channels for phishing, fraud, and BEC attacks. Access to databases of numbers, message texts, and metadata (sending time, recipients) is valuable for targeted attacks, blackmail, and surveillance. Previously, similar risks were recorded during the hacking of Syniverse and Mitto, when billions of messages and the ability to track users were threatened.
Compromising SMS channels also threatens corporate and administrative systems. Through such channels, attackers can attack employee MFA systems, gain access to mail, cloud services, and CI/CD. In 2024, the incident with Authy confirmed the compromise of 33 million numbers through an unprotected node.
In addition to technical risks, financial and reputational consequences are possible: unforeseen mailing costs, fines for violating personal data protection laws (FZ-152, GDPR, CCPA), and a drop in confidence in SMS channels for notifications. At the moment, neither aggregators, nor telecom operators, nor regulators have confirmed the fact of the leak.