Data Breach: Millions of Phone Numbers, Recordings, and Call Logs Compromised in Data Leak

Cyber Research Team
Published by Cyber Research Team on March 02, 2021

WizCase security team has found a major breach in phone-tracking service Ringostat’s database. This leak left vulnerable phone numbers, call recordings, call logs, and more to potential attack. The leaked data numbers in the millions and was accessible to anyone who possessed the link. There was no need for a password or login credentials to access the information, and the data was not encrypted. The leak has since been secured.

What’s Happening?

Ringostat is an Eastern European company specializing in call-tracking, analytics, and other marketing aids for smartphones. It was founded in 2013 and operates worldwide but mainly in Ukraine and Russia.

Our team of ethical hackers led by Ata Hakçıl discovered an ElasticSearch database used by Ringostat which exposed over 800 GB of user data.

What Data Was Leaked?

The ElasticSearch server leak exposed the details of 67,000 Ringostat clients. As the company is based in Ukraine, most of its clients could be identified as Ukrainian or Russian. The information leaked included approximately 8,000,000 voice recordings, 13,000,000 phone numbers, and hundreds of millions of call logs and metadata. All told, approximately 2 billion records were leaked.

Redacted client details

Redacted example of client details

The voice recording information could be accessed by anyone with a link and an Internet connection, leaving millions vulnerable.

Metadata included information like which phone number called and which number received the call, if the recipient answered; timestamp of the call; the IP address of the one who received the call; duration of the call (both overall duration and billable duration); GSM carrier; and client company who received the call.

Redacted metadata information

Redacted example of metadata information

Our team also found payment records from Stripe, including users’ id, IP, port, and the time of the transaction. Client details included company names, emails, number of emails, and phone numbers. Call recording data contained IP, port, and timestamp. Below is a table summarizing the types of records leaked and what data those records contained.

Type of Record Data Leaked
Metadata Phone number of caller and receiver, whether or not the call was answered, timestamp of the call, IP address, overall duration of the call, billable duration of the call, GSM carrier, and client company who received the call
Payment Records User id, IP, port, and time of transaction
Client Details Company name, associated email addresses, number of open deals, number of emails, and phone numbers
Call Recording Data IP, port and timestamp

It appeared that some media sites misunderstood our report. To make it clear, we did not state that the data we found was stolen data. We discovered an open, unprotected and unencrypted ElasticSearch server owned by Ringostat themselves. Our team cannot confirm whether or not the data was stolen while it was open.

What Are the Risks and How to Protect Yourself

Identity Theft: Leaked personally identifiable information (PIIs) can be used to access accounts on other websites, leading to further information leaks and outright identity theft. If found by bad actors, this information can lead to severe financial loss for many.

Scams, Phishing, and Malware: It is common for unethical hackers and criminals on the Internet to use personal data to create trustworthy phishing emails. The more information they possess, the more believable these emails look. Clicking on emails or attachments in these emails often results in giving the hackers an opportunity to force you to download malware or obtain easy access to your account.

Corporate Espionage: Competitors could target users on the database and attempt to steal them. If a law firm used Ringostat, for example, a rival firm could use their data to snipe potential clients from firms using Ringostat. This can result in severe financial loss for users.

Theft: Some of the voice recordings found in the database contain calls to moving companies and the like. With this information, criminals could pose as the moving company and arrive earlier than the real moving company and steal property.

Unfortunately, the above list is not comprehensive, and cybercriminals are always generating new methods to exploit anyone vulnerable on the Internet. However, users have ways to protect themselves.

As Ringostat is B2B (business-to-business), end users would not know if their data was leaked unless a service informed them. For future purposes, we recommend always inputting the bare minimum of information when making a purchase or setting up an account on the Internet. The less information you give hackers to work with, the less vulnerable you are to attack.

Though most email clients have methods to block spam and phishing attempts, they are not 100% effective. When receiving an unexpected email from a seemingly trustworthy source, do not open any attachments. Phishing emails often use scare tactics to force users to open the attachment. If you are ever unsure about an email from a trustworthy company, give them a call. This will usually let you verify whether the attachment is legitimate or not. A good antivirus program can also aid in protection from malware, trojans, and other dangers.

For examples of theft, do not let them into your home on first request. If you are ever unsure of your safety in these situations, always verify the identity of company employees who show up to work with the company itself.

Here are comments from Ringostat that we added as a courtesy – we cannot confirm these claims:

“1. There was no data leakage to the network. This was confirmed by our unscheduled security audit.

2. No company is totally secured against the detection of vulnerabilities or bugs. They occur after software updates (third-party programs, operating systems, etc.). The most important thing is how quickly the company fixes these vulnerabilities.
We react without delay, as a result our customer data is safe.

3. We cooperate with White hats to help us improve our security.” [Note from the author: Other than sharing our findings with Ringostat, there was no cooperation between us and the company.]

Why Should I Trust WizCase?

I am a well-known online security platform, WizCase, providing guidance and insights to a vast readership weekly. Our website has been translated into over 30 languages, earning the confidence of a broad global audience. Our team regularly discovers new data breaches across the internet and contacts them to companies responsible for them prior to publishing any reports. We have found links on websites and in databases relating to news websites, popular dating apps, and the medical industry. Together, we’re working hard towards creating a safer online environment for everyone.

In this case, we reached out to Ringostat the day after our discovery. They never got back to us and the server was secured within a few days.

We rank vendors based on rigorous testing and research, but also take into account your feedback and our commercial agreements with providers. This page contains affiliate links.

Did you like this article? Rate it!
I hated it I don't really like it It was ok Pretty good! Loved it!
4.10 Voted by 3 users
Thanks for your feedback