We were made aware of a development server that was exposed for a small window of time. When it was discovered, it was taken offline within 15 minutes of being notified by Cloudflare that they had discovered it.
It primarily had some data for database load testing made up of call logs (partial numbers only), SMS messages our system flagged as SPAM and some general server log data.
This was an isolated dev server and our production environment and the rest of our network was not at risk. All production systems remained firewalled and secured and it would not have been possible for connections to those systems.
Even though it was a development server with mostly simulated data on it, it would normally be fully secured, but it appears that it was not for a short window of time.
We have audited that server and the rest of our network out of an abundance of caution and have found no evidence of any unauthorized access beyond the initial member of Cloudflare's security that discovered it and notified us.
We will continue to investigate and work on reinforcing or adding additional processes or layers of security to prevent this from happening again.
If we find any indication that customers may have been impacted or had any information accessed (such as an SMS messages that our system flagged as SPAM primarily due to the very limited scope of what was on the server), we will notify users. At this time though, we have no reason to believe any customers were impacted based on log data and analysis.
We disagree with many of the assumptions and pieces of information in the article linked, but at the end of the day any potential exposure is unacceptable.
Fortunately in this case, it was an isolated development server with very limited data on it and we have no indication that it was accessed by any unauthorized parties.
With that said, we sincerely apologize and we are looking at this as a learning opportunity and reminder to thoroughly audit, review and update our security policies and procedures to add additional protection.
I also want to be clear that no billing or customer information was on the server in question or ever at risk at any time. This server had a very limited scope of data with the bulk of it being simulated.
Again, I apologize for this and you can be certain I'm working to get to the bottom of how it happened and feel fortunate it was just a development server.