Major SMS routing company admits it had been hacked for five years

Daniel Sims

Posts: 448   +18
Why it matters: A company that routes billions of text messages around the world every year recently (and quietly) revealed that someone had unauthorized access to its systems for five years. They aren't saying what information was accessed or if any text messages were exposed.

Syniverse is used by mobile carriers like Verizon, T-Mobile, and AT&T to route SMS text messages. Late last month it sent a filing to the US Securities and Exchange Commission to propose merging with another company. The filing is hundreds of pages long, but tucked away in the section laying out the risks Syniverse brings to the merger, near the bottom of page 69, is an admission that it was hacked in 2016 and didn't find out about it until earlier this year.

The filing describes an incident in May 2021, which is when Syniverse became aware that an unknown entity had accessed its operational and information systems. An investigation revealed that they had accessed Syniverse's systems several times between May 2016 and May 2021, compromising the login information for 235 of its Electronic Data Transfer (EDT) customers.

In the filing, Syniverse says it "promptly" contacted law enforcement, legal council, and the affected customers. While it says it didn't detect any attempt to monetize or otherwise misuse the accessed data, Syniverse says it can't be sure it won't uncover more evidence related to the hack in the future. Syniverse also says it updated its systems after finding out about the hack, but didn't go into detail as to how.

According to Ars Technica, neither Syniverse, Verizon, T-Mobile, nor AT&T have given any more information on the potential for compromised SMS messages. Vice's Motherboard section also hasn't gotten any more information from Syniverse, but their sources tell them anyone who accessed Syniverse's systems could've gotten to extensive information about calls including length, phone numbers, location data, and SMS message content. The infiltrator could've gotten that information for millions of customers worldwide during those five years.

As an example of how wide-reaching Syniverse is, in 2019, over 100,000 text messages were delayed by months because one of their servers failed. When the server was reactivated, Valentines Day messages ended up being delivered in November.

Image credit Eddy Billard

Permalink to story.



Posts: 334   +318
I just posted in another recent article about an attack involving SMS 2FA, saying how insecure SMS is:

This just further proves my point. RCS needs to be pushed harder. Carriers are currently trying much harder to phase out 3G than they are SMS by mandating HD Voice or VoLTE on all new phone activations. Mandating RCS on new phones is no harder than mandating VoLTE. A part of me suspects that SMS isn't being phased out as aggressively because it's such a convenient surveillance goldmine. There's basically no real security or privacy to speak of. SMS is more open than plain old unsecured HTTP.. Any company that allows only SMS for 2FA clearly doesn't care much about actual security.

Carriers and devices that support RCS Universal Profile:
Last edited:


Posts: 107   +72
The people trying to get dirt on every current and wanna be politician must be jumping for joy hoping that the info will be leaked somewhere.