Mass Texting Service Breach Sends Hundreds of Thousands of Scam Messages

Hackers breached a mass texting service, Mobile Commons, on November 10th, sending hundreds of thousands of scam texts to subscribers of New York state alerts, a Catholic charity, and a political organizing group.

According to NBC New York, the unauthorized access was likely achieved through a spear phishing attack or similar social engineering method, remaining undetected for a four-hour period. During this time, multiple spam messages were dispatched before the company's security protocols intervened.

Mobile Commons works with various organizations to send public service announcements and fundraising texts using short code numbers, which are five or six digits long and regulated to avoid spam classification.

The U.S. Short Code Registry reported an increase in attacks targeting the industry, urging companies to enhance their cybersecurity measures. The report indicates that around 188,000 New Yorkers receive texts from the state, with approximately 160,000 receiving the scam texts.

Messages referred to nonexistent transactions and encouraged recipients to call a number linked to the scam, now disconnected. Although Mobile Commons stated it doesn't believe customer or subscriber data was compromised, the extent of financial harm remains unclear.

A telecommunications industry source noted that over 70,000 scam texts were logged on the day of the breach, a significant increase given that fewer than 10,000 messages are typically sent from those numbers in a day.

Both New York state officials and representatives from the Catholic Relief Services confirmed they had not authorized the scam messages. The incident raises serious concerns about the security of digital communication platforms and the ongoing challenges in safeguarding personal information against cyber threats.