So one of their servers had a /heapdump endpoint that publicly served a heap dump of the server? This whole saga is out of control.
This group didn’t really “publish” anything, though. They’re offering access to journalists through a request form. They’re also not saying how much actual message content they have because the 410GB of heap dumps makes for a bigger headline number.
TeleMessage CEO LinkedIn bio - reads like a terrible AI hatchet job:
"At the helm of TeleMessage, my leadership is defined by strategic innovation and a steadfast commitment to advancing telecommunications solutions. With a focus on SaaS products, our team has successfully navigated the industry's evolution, ensuring that we remain at the forefront of technological advancements. My role encompasses not only the oversight of our direction but also the cultivation of a culture that values ethical standards and collaborative success.
Our achievements are anchored in a proven track record of delivering results and solving complex problems with efficiency. Spearheading business development and marketing initiatives, we have established a reputation for excellence within the telecom sector. The acquisition of TeleMessage by Smarsh in 2024 stands as a testament to our team's dedication and my leadership in driving growth and fostering a united vision."
It's been weeks since the initial TeleMessage revelation... has the Signal Foundation responded in any way to the news? They condemn open source third-party clients and threaten trademark litigation when people use the "Signal" name in interop projects. Meanwhile, total silence when a defense contractor does the same thing.
However bad their Signal fork was, at least it was legal. What's crazy is that this very company was also selling a cracked WhatsApp, which is a whole different kettle of fish... and people were buying it! real corporations and governments were buying this crap - it's insane
We‘re doing something way less critical at my job. But we have two pentests per year by external companies. How on earth is this level of incompetence even legal.
'Heapdump' is a term I learned from debugging android applications 15 years ago. Its just a snapshot of the java processes memory. Its going to contain plaintext. Now why those heaps are available at an open http endpoint is another matter, and is the interesting point. I'm guessing the client code had that endpoint hardcoded somewhere or they saw a request to it. I'm not seeing how they could know anything about the back end or how the messages are stored from this. Did I miss something?
Exposing unauthenticated /heapdump endpoints in production is a rookie mistake-especially for a service handling sensitive government comms. The presence of MD5 hashes and legacy tech like JSP just adds to the picture of poor security hygiene. This breach is a textbook case of why defense-in-depth and regular audits are non-negotiable.
The title is outright wrong and should be criticized for spreading false information. They have NOT published anything, it's only for "researchers", which is a way of saying "we will write false title of this article just so we can get a lot of attention"
> Because the data is sensitive and full of PII, DDoSecrets is only sharing it with journalists and researchers.
Yeah I'm normally a big proponent of responsible disclosure, but in this case, I think the more painful, damaging leak is required.
Firstly, autocrats, fascists & oligarchs don't care that much if you hack them. They will just keep using these tools (or another one just like it) ignoring the correct procedure their government already wants them to use. The citizens of affected nations need to be made angry by their leaders' failure to do their jobs correctly, and that's only gonna happen when there are consequences for their actions. Their incompetence put their nations at risk, and now it's clear they have failed to keep their intel safe. They have failed hard, let them fail hard.
Second, journalists and researchers have almost completely lost their power. In a non-democratic world (we're nearly there, just give them a little more time), when a journalist exposes corruption or incompetency, that journalist/researcher is simply silenced by the government. Silence the journalists and nobody knows what's going on so oppression can continue unchecked. Every person who gets silenced has a greater chilling effect on the whole society; nobody wants to be next. This is how authoritarians gain power. Oppression with no resistance or consequence legitimizes the oppression.
If we were just talking about typical corporate incompetence re: security, and the only thing at stake is a single stock or individuals' data, I would say disclose responsibly. But when it comes to stopping autocracy, the gloves have to come off. They sure as shit aren't gonna play by any rules, so neither should we.
Isn't it against the law in the United States to use outside channels for government communications? Wasn't this the whole scandal about Clinton? Please correct me if I am wrong.
I love when politicians, lobbying for the backdooring all communication software are getting pwned in the same way. Too bad they lack either brain cells or basic human empathy to make a connection between these events.
I'm someone who is building a messaging app, and I make sure we subscribe to the "nothing to hide, nothing to fear" philosophy. But in our case it's collect nothing so there's no data to steal even if we get hacked.
DDoSecrets publishes 410 GB of heap dumps, hacked from TeleMessage
(micahflee.com)663 points by micahflee 20 May 2025 | 185 comments
Comments
This group didn’t really “publish” anything, though. They’re offering access to journalists through a request form. They’re also not saying how much actual message content they have because the 410GB of heap dumps makes for a bigger headline number.
"At the helm of TeleMessage, my leadership is defined by strategic innovation and a steadfast commitment to advancing telecommunications solutions. With a focus on SaaS products, our team has successfully navigated the industry's evolution, ensuring that we remain at the forefront of technological advancements. My role encompasses not only the oversight of our direction but also the cultivation of a culture that values ethical standards and collaborative success.
Our achievements are anchored in a proven track record of delivering results and solving complex problems with efficiency. Spearheading business development and marketing initiatives, we have established a reputation for excellence within the telecom sector. The acquisition of TeleMessage by Smarsh in 2024 stands as a testament to our team's dedication and my leadership in driving growth and fostering a united vision."
https://smarsh.my.salesforce.com/sfc/p/#30000001FgxH/a/Pb000...
Yeah I'm normally a big proponent of responsible disclosure, but in this case, I think the more painful, damaging leak is required.
Firstly, autocrats, fascists & oligarchs don't care that much if you hack them. They will just keep using these tools (or another one just like it) ignoring the correct procedure their government already wants them to use. The citizens of affected nations need to be made angry by their leaders' failure to do their jobs correctly, and that's only gonna happen when there are consequences for their actions. Their incompetence put their nations at risk, and now it's clear they have failed to keep their intel safe. They have failed hard, let them fail hard.
Second, journalists and researchers have almost completely lost their power. In a non-democratic world (we're nearly there, just give them a little more time), when a journalist exposes corruption or incompetency, that journalist/researcher is simply silenced by the government. Silence the journalists and nobody knows what's going on so oppression can continue unchecked. Every person who gets silenced has a greater chilling effect on the whole society; nobody wants to be next. This is how authoritarians gain power. Oppression with no resistance or consequence legitimizes the oppression.
If we were just talking about typical corporate incompetence re: security, and the only thing at stake is a single stock or individuals' data, I would say disclose responsibly. But when it comes to stopping autocracy, the gloves have to come off. They sure as shit aren't gonna play by any rules, so neither should we.
- Pete Hegseth
That line simultaneously becomes funnier and more depressing.
Sorry, but no, journalists and researchers have implicit bias.
Is this group not very seriously discredited, with ties to FBI, convicted child porn criminals, etc? Or am I getting something mixed up?
This could still be a legitimate leak, of course. I'm just wondering if this info is publically known, or if I'm conflating things