Brosix and Chatox Data Breach: When 'End-to-End Encryption' Promises Fall Short

A massive data breach has exposed over 100 million unencrypted chat messages from two communication platforms that promised end-to-end encryption but failed to deliver on their security claims. The breach affects healthcare providers, government officials, and major corporations, raising serious questions about vendor security promises and third-party risk management.

The Breach Overview

Brosix Enterprise and Chatox are communication platforms owned by Stefan Chekanov that advertised themselves as secure, encrypted messaging solutions. However, a researcher discovered an unsecured backup containing 155.3 GB of data with over 100 million chat messages stored in plain text.

Key Findings:

• 155.3 GB of exposed data
• 102,874,743 unencrypted chat messages (65.6M from Chatox, 37.2M from Brosix)
• 264,000+ unencrypted files attached to messages
• 980,972 user records dating back to 2006
• Data exposed from May 2024 to July 2025

The Encryption Promise vs. Reality

Both platforms made bold security claims:

Brosix advertised:

"All messages sent with Brosix are fully encrypted using end-to-end encryption technology, guaranteeing that your communication remains secure... Brosix uses AES (Advanced Encryption Standard, used by US government) with 256 bit keys."

Chatox claimed:

"Chatox employs encryption across all communications, making it an extremely secure communication and collaboration platform."

Yet the researcher found all chat messages, user credentials, and attached files stored in plain text on an unsecured backup server.

Healthcare Data Exposure

The breach exposed sensitive healthcare information, including:

• Florida Psychiatric Society therapists discussing patient cases
• Patient names, dates of birth, and medical conditions
• Treatment plans and medication discussions
• Insurance forms and patient records
• Scanned medical documents

This represents a significant HIPAA violation, as protected health information (PHI) was exposed without encryption or proper access controls.

Major Organizations Affected

Allstate Insurance

• 4,900+ employees used the platforms
• Customer policy information exposed
• Claims data and personal information compromised
• Employee passwords potentially compromised

Government Officials

• Senator Tim Scott's staff used house.gov email addresses
• Congressional communications potentially exposed
• Password reuse risks across government systems

Other Affected Sectors

• Financial services companies
• Educational institutions
• Technology firms
• Healthcare providers nationwide

Third-Party Risk Management Lessons

This breach highlights critical lessons for organizations:

1. Verify Vendor Security Claims

• Don't take encryption promises at face value
• Request independent security audits
• Verify data storage and transmission practices
• Ask for evidence of security controls

2. Implement Vendor Due Diligence

• Assess third-party security practices
• Monitor vendor security posture
• Have incident response plans for vendor breaches
• Regular security assessments of critical vendors

3. Data Minimization

• Only share necessary data with third parties
• Implement data retention policies
• Regular audits of data sharing practices
• Encrypt sensitive data before sharing

Compliance Implications

HIPAA Violations

Healthcare organizations using these platforms may face:

• HIPAA fines for PHI exposure
• Breach notification requirements
• Regulatory investigations
• Patient notification obligations

SOC 2 Considerations

Organizations with SOC 2 compliance should:

• Review vendor management controls
• Assess third-party risk procedures
• Update incident response plans
• Document lessons learned

Immediate Action Steps

For Affected Organizations:

1. Identify affected users and data
2. Reset compromised credentials
3. Notify affected individuals
4. Assess regulatory reporting requirements
5. Review vendor security practices

For All Organizations:

1. Audit third-party communications tools
2. Verify encryption claims
3. Implement vendor security assessments
4. Update incident response procedures
5. Train staff on secure communication practices

The Broader Impact

This breach demonstrates the growing risk of third-party communications platforms and the importance of:

• Independent security verification
• Comprehensive vendor risk management
• Incident response planning
• Regular security assessments

For organizations struggling with third-party risk management, see our guide on Third-Party Risk Management: Best Practices. For healthcare organizations concerned about HIPAA compliance, read our HIPAA Compliance Checklist. For companies evaluating their security posture, take our Compliance Posture Survey.