Millions of Google, WhatsApp, Facebook 2FA security codes leak online

Innovation

Security experts advise against using SMS messages for two-factor authentication codes due to their vulnerability to interception or compromise. Recently, a security researcher discovered an unsecured database on the internet containing millions of such codes, which could be easily accessed by anyone.
Security researcher finds unsecured database leaking 2FA codes online PICTURE ALLIANCE VIA GETTY IMAGES
The sensitive SMS database was left unprotected online

The internal database, discovered by security researcher Anurag Sen, was left unprotected without a password despite being internet-facing. Anyone who knew the database’s IP address would be able to access it using nothing more sophisticated than a bog-standard web browser. It contained 2FA codes from companies like Google, WhatsApp and Facebook.

Although it wasn’t immediately clear as to the ownership of the exposed database, after reaching out to reporters at TechCrunch the guilty party was found to be YX International, an Asian company that provides SMS text message routing, among other services.

YX International secured the database after TechCrunch contacted the company.

With a daily flow of as many as 5 million SMS messages, the YX International database was a treasure trove of sensitive information. Information including password reset links and 2FA codes for companies such as Google, WhatsApp, Facebook and TikTok.

I have reached out to YX International, Google, Meta and TikTok for comment.

I spoke with the researcher who found the database, Anurag Sen, who told me they “came across the database during a routine check I do.” Sen says that they have been doing this to check on cloud-based databases for the past five years.

“Lots of companies are moving their production servers to cloud but the basic authentication and encryption are not placed,” Sen says. The exposed database shows, Sen says, that “the method to store and process 2FA should be more robust and secure.”

Do Google, Whatsapp and TikTok users have cause for concern?

With logs dating back as far as July 2023, the lack of a password to protect this database is shocking, but is it a security risk? From the perspective of the 2FA codes I would have to say not very much.

After all, such codes expire very quickly and a threat actor would have to be monitoring both the additions to the database and the actions of a target. In the scheme of things, this is very unlikely indeed.

Does this mean you shouldn’t use SMS for 2FA security codes?

Jake Moore, the global cybersecurity advisor at ESET, told me that “one time passwords via SMS are a far safer option than relying on a password alone but when threats are now multi layered themselves, accounts need the strongest multi layer protection themselves to stay secure.”

Passkeys, authenticator apps and physical security keys all offer even more secure protection. “So, when setting up security is now easier than ever,” Moore continues “anyone left relying on passwords alone or using SMS 2FA codes might want to reconsider their original choice.”

Although users don’t need to be too concerned that 2FA codes were included in the misconfigured and unprotected database in question, that doesn’t mean it’s not a lesson to be learned.

If anything, it just adds weight to the argument against using SMS if there are other options available, as it illustrates how such text message codes can be compromised.

“Text messages use outdated technology and it’s good practice to keep up with the latest account protection on offer,” Moore concludes, “But when convenience and security match each other in perfectly equal measures, it really is a no brainer to opt for another option other than SMS.”

This article was first published on forbes.com and all figures are in USD.

More from Forbes Australia

Avatar of Davey Winder - Contributor
Topics: