Company that routes SMS for all major US carriers was hacked for five years

Syniverse, which routes hundreds of millions of text messages each year for hundreds carriers, including Verizon, T-Mobile and AT&T revealed to regulators that a hacker had gained unauthorized access for five years to its databases. The hacker may have had access to text messages of customers, but Syniverse and the carriers are unable to confirm this.
Last week, Syniverse filed a filing with the Securities and Exchange Commission stating that Syniverse was aware in May 2021 of an unauthorised access to its operational and IT systems by an unknown person or organization. Syniverse immediately launched an internal investigation after recognizing the unauthorised access. It notified law enforcement and began remedial actions.

Syniverse stated that it had "investigated that the unauthorized entry began in May 2016" as well as "that an individual or organization gained unauthorized acces to its network databases on multiple occasions and that login information allowing for access to its Electronic Data Transfer ('EDT) environment was compromised for approximately 237 of its customers."

Syniverse isnt revealing more details

Ars reached out to Syniverse today and a spokesperson for the company provided a general statement which largely repeats the SEC filing. Syniverse refused to answer specific questions about whether or not text messages were disclosed and the impact on major US carriers.

Syniverse stated, "Given our confidential relationship with customers and the ongoing law enforcement investigation,"

A preliminary proxy statement filed with the SEC is related to a merger with a special-purpose acquisition company. This will make Syniverse a publicly traded company. The document was filed by M3Brigade Acquisition II Corp. (the blank-check company). The document, which is typical for SEC filings discusses risks for investors. In this case, it includes security-related risks as demonstrated by the Syniverse hack. Advertisement

300 Syniverse route messages for operators

Syniverse claims that its intercarrier messaging system processes more than 740 billion messages annually for more than 300 mobile operators around the world. Although Syniverse is not a household name, it plays an important role in ensuring that your text messages reach their destination.

Today, we asked AT&T, Verizon and T-Mobile whether the hacker had accessed people's texts. We will update this article if any additional information is available.

In November 2019, Syniverse's importance was brought to the forefront when over 168,000 SMS messages were delivered almost nine months late due to a server problem. They were left in a queue, and the messages were not delivered when the server crashed on February 14, 2019. The messages finally reached their intended recipients in November after the server was restarted.

Syniverse claims it has fixed vulnerabilities

Syniverse stated in its SEC filing and statement to Ars, that it reset or deactivated all EDT customer credentials "even though their credentials weren't impacted by this incident."

According to the SEC filing, Syniverse had notified affected customers about this unauthorized access. Syniverse concluded that no additional action, not even customer notification, was required at this point. Syniverse said it had also taken substantial additional measures to protect its customers and systems in response to the incident. However, they did not specify what those additional measures were.

Syniverse appears to be confident that everything is under control, but informed the SEC that there could still be problems due to the breach.

Syniverse didn't observe any evidence that Syniverse intended to disrupt its operations, or those of its customers. There was also no attempt to monetize this unauthorized activity. Syniverse believes that it has adequately remedied the vulnerabilities that led the incidents. However, it cannot be certain that Syniverse won't uncover evidence of exfiltration of misuse of its IT systems or data from the May 2021 Incident or that it will not suffer a cyber-attack in the future. Any such exfiltration could result in the public disclosure of or misappropriation customer data, Syniverse trade secrets or other intellectual properties, personal information of employees, material financial information, and other information that is related to its business.


The SEC filing Syniverse submitted was discussed in Vice's Motherboard Section yesterday. Vice claims that a former Syniverse employee working on the EDT systems said that those systems contained information about all call records. Vice quoted a telephone company employee who claimed that hackers could have accessed the contents of SMS texts.

Vice wrote: