ALERT Telnyx: Security Breach

wardmundy said:
Lots of hidden gotchas for big operations.
Click to expand...
Hidden gotcha, really? It's right on their pricing page. So I'm not sure how a fee that is publicly posted before you purchase service is "hidden". We must have different definitions of this.

Retail providers limit the CPS (Calls Per Second) one can send them. Humans dialling normally generally means about 1 call per second. When you start getting up to 2 or more CPS then you either have serious volume (meaning humans are making calls at the exact same time) or you are automating your calls.

In order to generate 50 CPS in 3 seconds you need to send at least a 150 calls in that 3 second period. In order for **humans** to send 50 CPS in 3 seconds you would need around 1500 agents making calls at the same time. Outside of that, you are using auto dialers to generate your calls.

Now some places like BulkVS don't have a posted CPS limit because they have a posted channel limit. For outbound calls you have 200 concurrent channels, if you go over that 200 concurrent channels they block your calls. I know, I had to have them up my limit at one point because I was hitting the 200 limit and having calls rejected.

What does that mean in comparison? You get 67 CPS over 3 seconds with BulkVS before your calls are rejected. So you get more CPS on par but at the same time, any additional calls are rejected during that period while Telnyx will just charge you and let the call go through because they don't impose channel limits.

In summary:
  • Some providers will impose a CPS limit with no channel limits (either charge or block if CPS is hit)
  • Some providers will impose a channel limit with no CPS (mainly block overage on channel limits)
  • Some providers will impose a CPS limit and channel limits. Meaning you can send X calls per second but only have Y concurrent calls at any time.
  • Calls Per Second and Concurrent Channels are not the same thing.
  • Telnyx's CPS rates are not hidden fees.
 
@Samot: Hidden means that you aren't alerted to the steep surcharges as your calls go through. Posting the CPS limits and rate surcharge formulas on multiple pages of a web site is not the same as letting subscribers know what their bill will be as they move through the month. The rates may not be hidden, but the fees certainly are because they're not calculated until the end of each billing cycle as I understand their published tariffs.
 
wardmundy said:
Hidden means that you aren't alerted to the steep surcharges as your calls go through.
Click to expand...
There's a dashboard showing this traffic as it happens. While I don't have any account there could be alerts that could be setup. But you are able to track this just like you track your usage. So unless you aren't watching any of your usage, you can be fully aware of the upcoming surcharges.
 
Samot said:
There's a dashboard showing this traffic as it happens. While I don't have any account there could be alerts that could be setup. But you are able to track this just like you track your usage. So unless you aren't watching any of your usage, you can be fully aware of the upcoming surcharges.
Click to expand...
Showing the traffic as it happens and showing the pricing as it happens are different beasts. Unless I'm reading their multiple pages incorrectly, the "price adjustment" doesn't rear its ugly head until the end of every month.

P.S. Who cares? Not me.
 
If you're dealing with a multi tenant fusionPBX server, GPT suggests giving every tenant its own public SIP IP. Then each tenant has up to the 50 CPS limit.

If you have a single tenant that is going over the 50 CPS limit, GPT suggests assigning multiple SIP IPs to that tenant in FusionPBX, and then load balancing SIP traffic between IPs, though I haven't needed to try this so can't vouch for it:

GPT Q: Can you “shard” one tenant’s traffic across several SIP IPs?


Yes. FreeSWITCH/FusionPBX will happily send the same tenant’s calls out of two-plus public addresses, and Telnyx will treat each address as a separate 50-CPS bucket — so 3 IPs ≈ 150 CPS before you hit either rejections or a surcharge. The high-level recipe is:
  1. Give the EC2 instance more public addresses (Elastic IPs).
  2. Create one external SIP profile per IP and bind it to that address.
  3. Create a Telnyx “SIP Connection” per IP (IP-auth or credential).
  4. Add matching FusionPBX gateways and load-balance them with mod_distributor (or another dial-plan trick).
 
I would expect enterprises doing high call volume with Telnyx to have a contract in place that specifies CPS, overage terms, etc., that are more favorable than what is publicly posted. The publicly-stated policy and surcharges are for the self-sign-up crowd, to deter abuse. Sharding seems like a hacky workaround that might not be necessary (and still possibly "caught") if you have the kind of call volume that would require it. Perhaps talk to the provider instead and set up an agreement.
 
According the article Telnyx will calculate CPS monthly peak and set surcharges according it.
So as I understand correctly once (as they calculate 95% so twice) you reached some CPS during a month even all rest time CPS was 0 it will be surcharged. And only 5 CPS is free.
 
On March 27, 2026 at 03:51 UTC, two unauthorized versions of the Telnyx Python SDK (4.87.1 and 4.87.2) were published to PyPI by a threat actor. Both versions contained malicious code and were quarantined by 10:13 UTC the same day.

The malicious packages execute at import time and attempt to exfiltrate credentials and environment secrets.


Who is affected

You may be affected if:

  • You installed or upgraded the telnyx Python package between 03:51 UTC and 10:13 UTC on March 27, 2026
  • You installed telnyx without pinning a version and received 4.87.1 or 4.87.2
  • A dependency pulled in telnyx as an unpinned transitive dependency

Who is NOT affected

  • Users running version 4.87.0 or earlier.
  • You are using the Telnyx REST API directly without the Python SDK

The Telnyx platform, APIs, voice services, messaging, networking, and AI infrastructure were not compromised. This incident was isolated to the PyPI distribution channel.


What you should do (if affected)

  1. Check your version: pip show telnyx
  2. If running 4.87.1 or 4.87.2: treat the environment as compromised
  3. Downgrade immediately: pip install telnyx==4.87.0
  4. Rotate all credentials and secrets accessible from that system
  5. Monitor for suspicious outbound connections

What we are doing


We have removed the malicious packages from PyPI, are preparing a verified clean release with integrity checks, and are auditing credential exposure across our CI/CD pipeline.


A full technical postmortem will follow. For full security notice and ongoing updates please read our notice.


We will provide additional updates within 24 hours.


If you have any questions, contact [email protected].
 
You must log in or register to reply here.

Members online

Total: 27 (members: 2, guests: 25)

Latest Posts

Forum statistics

Threads
26,711
Messages
174,564
Members
20,278
Latest member
hessa
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Verify your Email

Check your inbox!

We’ve sent you an email. Click on the button in the email body to verify your email address – (if you can not find it, check your spam folder).

Upon verification you will be directed to the 3CX setup wizard.

Back
Top