Millions Of Google, WhatsApp, Facebook 2FA Security Codes Leak Online
Security experts strongly discourage the use of SMS messages for two-factor authentication codes due to their susceptibility to interception or compromise. Recently, a security researcher, Anurag Sen, uncovered an unprotected internet-facing database containing millions of these codes, accessible to anyone with knowledge of its IP address and a standard web browser.
The exposed database, initially of unclear ownership, was traced back to YX International, an Asian company specializing in SMS text message routing. Following notification from TechCrunch reporters, YX International promptly secured the unprotected database.
The YX International database, processing up to 5 million SMS messages daily, contained sensitive information, including password reset links and 2FA codes for major companies like Google, WhatsApp, Facebook, and TikTok.
In response to the incident, inquiries were made to YX International, Google, Meta (formerly Facebook), and TikTok for comments.
Anurag Sen, the researcher behind the discovery, emphasized the need for more robust and secure methods for storing and processing 2FA codes, particularly as companies migrate production servers to the cloud.
Despite the shocking lack of a password and logs dating back to July 2023, the risk to 2FA codes appears minimal due to their short expiration periods and the unlikely scenario of a threat actor monitoring both the database additions and a target's actions. However, global cybersecurity advisor Jake Moore from ESET highlighted the importance of adopting stronger multi-layered protection, such as passkeys, authenticator apps, or physical security keys, to enhance overall account security.
While users may not be directly affected by the inclusion of 2FA codes in the exposed database, the incident serves as a valuable lesson. Moore emphasized the outdated nature of text messages and recommended exploring alternative options that provide both convenience and enhanced security. In conclusion, the incident underscores the risks associated with SMS for 2FA and advocates for more advanced and secure authentication methods.