Do Son 
Researchers at Cybernews have uncovered a massive data leak involving the popular iOS application Second Phone Number, designed for managing virtual phone numbers. Personal messages, media files, and contact information of users around the globe have been exposed to risk.
The developers had positioned privacy as the cornerstone of their offering — a point prominently highlighted on the App Store page: “Need a second phone number for private calls and messages?” However, users who trusted the app to safeguard their personal information were met with a reality starkly at odds with those promises.
The investigative team identified a misconfigured instance of Firebase — the application’s cloud database — as the root cause of the breach. Despite multiple attempts to alert the developers of Second Phone Number, the vulnerability remains unaddressed.
Determining the exact number of affected users is impossible, as the App Store does not disclose download statistics. Nevertheless, independent estimates suggest a significant scale: the app has been downloaded nearly four million times, with over three million installations originating from users in the United States.
At the time the vulnerability was discovered, researchers had access to more than 700 SMS messages. These included not only the message content but also the phone numbers of senders and recipients, along with the names of the intended contacts.
Aras Nazarovas, a cybersecurity expert at Cybernews, emphasized that the true extent of the breach is likely far greater. Firebase functions as a transient storage system, meaning the actual volume of data passing through it vastly exceeds any single snapshot in time.
Experienced cybercriminals, well-versed in Firebase’s operational mechanics, often deploy scraper programs to harvest data. These automated tools periodically query the database, retrieving new data batches and archiving them separately. As a result, attackers can gain near-instantaneous access to all user activities as they occur within the system.
Such access represents a lucrative asset. Some users employed Second Phone Number for anonymous communication, including private conversations and online dating, making it relatively easy to extract compromising information for blackmail or manipulation. Others used the app for secure business communications, thereby exposing sensitive client information and delivery details to potential exploitation.
The unsecured Firebase configuration also revealed critically sensitive client-side parameters: API keys, client IDs, database URLs, Google application IDs, project identifiers, reverse client IDs, storage bucket parameters, and advertising app identifiers (GAD). Storing such information in client-side code is regarded as a grave violation of fundamental security principles.
Alarmingly, the issue extends beyond Second Phone Number. Analysts reviewed 156,000 iOS services — roughly 8% of the entire App Store catalog — and found that 71% leaked at least one secret parameter, with the average application exposing 5.2 confidential elements.
Experts advocate for a comprehensive remediation strategy. Foremost, Firebase security rules must be properly configured to restrict data access exclusively to authorized users and services. Sensitive information should be moved from the client side to server-side storage, with all traffic routed through the developer’s own secure infrastructure.
Researchers note that the current configuration not only enables attackers to connect to the database but also to monitor user activity, including interactions with customer support and queries directed to AI systems. Moreover, the embedded secret credentials in the code could facilitate the mapping of the app’s internal infrastructure and, with authentication keys exposed, even allow unauthorized exploitation of associated services.
