Major SMS routing company says it was the victim of a five-year hack (updated)

US carriers were likely affected, but it's not clear how.

diego_cervo via Getty Images

A cornerstone of text messaging has been vulnerable for half a decade. Ars Technica reports that Syniverse, which routes billions of SMS chats for hundreds of carriers in the US and abroad, has used an SEC filing to disclose a hack that lasted for five years.

The company discovered in May 2021 that someone had "unauthorized access" to its operational and IT systems since May 2016, and during that time had "several" opportunities to access network databases. The intruders compromised logins for Syniverse's Electronic Data Transfer environment for about 235 carriers, according to the company.

The routing firm wouldn't say if the attackers obtained messages or otherwise violated users' privacy. In a statement to Ars, Syniverse generally kept to what it revealed in the SEC filing. The company said it hadn't found evidence of an "intent to disrupt" operations, and there was "no attempt to monetize" activity. The company couldn't rule out future discoveries, however, and a Motherboard source said the EDT space included call record information. The intruders could have obtained text message content, the source added.

We've asked AT&T, T-Mobile and Verizon (Engadget's former parent company) if the attackers could have compromised texts passing through their networks. Syniverse said it fixed the security flaws and notified all customers when legally required, but that "no additional action" was necessary at this stage.

While that response suggests the practical damage might be limited, there's still cause for concern here — the attackers might have had access to massive volumes of sensitive messages while an important custodian was unaware. If nothing else, this is a reminder that mobile security depends as much on partner companies as it does carriers and phone makers.

Update 10/6 1:20PM ET: T-Mobile told Engadget there was "no indication" the breach compromised text messages or other personal details for the carrier's users.