US-headquartered Syniverse revealed a data breach spanning five years, and told investors login information was compromised for 235 of the roaming and interconnect provider’s corporate customers.

The company outlined the incident in a public filing related to its merger with a special purpose acquisition company, a transaction which is expected to close by the end of this year.

Syniverse calls the breach the “May 2021 Incident” because it was discovered in May of this year, but “unauthorised access began in May 2016”, the company stated. Upon discovering the breach, Syniverse “launched an internal investigation, notified law enforcement, commenced remedial actions and engaged the services of specialised legal counsel and other incident response professionals”, according to its filing.

The hacker or hackers gained access to login information for Syniverse’s Electronic Data Transfer (EDT) system, the company told investors. “The individual or organisation gained unauthorised access to databases within its network on several occasions,” the company wrote.

Syniverse did not disclose any details related to the types of information unauthorised individuals may have obtained. Press reports indicate the hackers could have accessed personal details about mobile subscribers, including the contents of text messages.

All 235 impacted customers have been told their credentials were compromised (potentially impacting millions of end users), Syniverse stated.  The company has reset credentials for all its EDT customers.

It counts leading operators including Vodafone Group, AT&T, Verizon, America Movil and China Unicom among its list of customers.

“Syniverse did not observe any evidence of intent to disrupt its operations or those of its customers and there was no attempt to monetize the unauthorised activity,” the company stated.