Hackers May Have Had Access to Billions of Texts for Years, Global Telecom Company Admits

A global telecommunications company has admitted that hackers may have had access to billions of text messages from potentially millions of cellphone users for years.

Syniverse, which is part of the infrastructure used by AT&T, T-Mobile, Verizon and Vodafone among others, revealed that an unknown "individual or organization gained unauthorized access to databases within its network on several occasions," in a September 27 filing with the U.S. Securities and Exchange Commission.

The company estimates that the newly disclosed hack affected approximately 235 of its customers and potentially millions of other phone users as early as May 2016.

The filing notes the company was not aware of the unauthorized access until May of this year, meaning hackers could access information for a period of five years.

Texts Hacker Telecommunications Data Breach
Syniverse admitted that hackers may have had access to billions of text messages over a five-year span. Above, two people text with their phone outside Munthe on August 9, 2017 in Copenhagen, Denmark. Christian Vierig/Getty

Syniverse said all affected customers have been notified and had their credentials reset or inactivated. The company says no additional action is required at this time.

According to its website, the company processes more than 740 billion text messages every year and has "direct connections" to more than 300 cellphone operators around the world, including 95 of the top 100 carriers worldwide.

It is unclear which carriers were affected by the data breach. Depending on the operators affected, hackers could have obtained information on up to millions of users.

Syniverse says it has completed a thorough investigation of the incident and is cooperating with law enforcement to respond to the hack. In a statement sent to Newsweek, the company has also implemented additional measures to increase protection of its systems and clients.

"We will continue to communicate directly with our customers if needed," Syniverse said. "Given the confidential nature of our relationship with our customers and a pending law enforcement investigation, we do not anticipate further public statements regarding this matter.

While the scope of the hack remains unclear, Democratic Senator Ron Wyden of Oregon warned Vice's Motherboard that the hack could be "espionage gold."

"The information flowing through Syniverse's systems is espionage gold," Wyden said. "That this breach went undiscovered for five years raises serious questions about Syniverse's cybersecurity practices. The FCC needs to get to the bottom of what happened, determine whether Syniverse's cybersecurity practices were negligent, identify whether Syniverse's competitors have experienced similar breaches, and then set mandatory cybersecurity standards for this industry."

Earlier in August, millions of T-Mobile customers had their personal data, including names, Social Security numbers, driver's licenses information among other identifications, stolen by hackers.

CEO Mike Sievert said there is "no ongoing risk" but apologized for not "liv[ing] up to the expectations we have for ourselves to protect our customers."

T-Mobile, with 102.1 million customers, is one of the U.S. "big three" cellphone service carriers.

The Federal Communications Commission, which regulates wireless carriers, is investigating the T-Mobile breach.

Update (10/04/21, 6:28 p.m. ET): This story was updated with comments from Syniverse.