A leaky database spilled 2FA codes for the world’s tech giants


Share post:

A technology company that routes millions of SMS text messages across the world has secured an exposed database that was spilling one-time security codes that may have granted users’ access to their Facebook, Google and TikTok accounts.

The Asian technology and internet company YX International manufactures cellular networking equipment and provides SMS text message routing services. SMS routing helps to get time-critical text messages to their proper destination across various regional cell networks and providers, such as a user receiving an SMS security code or link for logging in to online services.

YX International claims to send 5 million SMS text messages daily.

But the technology company left one of its internal databases exposed to the internet without a password, allowing anyone to access the sensitive data inside using only a web browser, just with knowledge of the database’s public IP address.

Anurag Sen, a good-faith security researcher and expert in discovering sensitive but inadvertently exposed datasets leaking to the internet, found the database. Sen said it was not apparent who the database belonged to, nor who to report the leak to, so Sen shared details of the exposed database with TechCrunch to help identify its owner and report the security lapse.

Sen told TechCrunch that the exposed database included the contents of text messages sent to users, including one-time passcodes and password reset links for some of the world’s largest tech and online companies, including Facebook and WhatsApp, Google, TikTok, and others.

The database had monthly logs dating back to July 2023 and was growing in size by the minute.

Two-factor authentication (2FA) offers greater protection against online account hijacks that rely on password theft by sending an additional code to a trusted device, such as someone’s phone. Two-factor codes and password resets, like the ones found in the exposed database, typically expire after a few minutes or once they are used.

But codes sent over SMS text messages are not as secure as stronger forms of 2FA — an app-based code generator, for example — since SMS text messages are prone to interception or exposure, or in this case, leaking from a database onto the open web.

In the exposed database, TechCrunch found sets of internal email addresses and corresponding passwords associated with YX International, and alerted the company to the spilling database. The database went offline a short time later. A representative for YX International, who did not provide their name, responded soon after saying the company “sealed this vulnerability.”

When asked by TechCrunch, the YX International representative said that the server did not store access logs, which would have determined if anyone other than Sen discovered the exposed database and its contents.

YX International would not say for how long the database was exposed.

When reached by email, a Meta spokesperson did not comment. Spokespeople for Google and TikTok did not respond to requests for comment.

Source link

Lisa Holden
Lisa Holden
Lisa Holden is a news writer for LinkDaddy News. She writes health, sport, tech, and more. Some of her favorite topics include the latest trends in fitness and wellness, the best ways to use technology to improve your life, and the latest developments in medical research.

Recent posts

Related articles

Adobe claims its new image generation model is its best yet

Firefly, Adobe’s family of generative AI models, doesn’t have the best reputation among creatives. The Firefly image generation...

Rivian targets gas-powered Ford and Toyota trucks and SUVs with $5,000 ‘electric upgrade’ discount

Rivian is offering discounts up to $5,000 on its EVs — and a year of free charging...

UnitedHealth says Change hackers stole health data on ‘substantial proportion of people in America’

Health insurance giant UnitedHealth Group has confirmed that a ransomware attack on its health tech subsidiary Change...

TechCrunch Space: Engineering the future

Hello and welcome back to TechCrunch Space. Don’t worry — we’ll be diving into the Mars Sample...

Here are the 30+ startups showcasing at HAX’s May 1 Demo Day

A few weeks back, TechCrunch ventured out to New Jersey to pay an early visit to HAX’s...

Here’s a lab-grown diamond startup that’s attracted a16z’s attention

Throughout hip-hop’s long history, jewelry has served as an important vehicle for artists to convey their ideas...

US government says security flaw in Chirp Systems’ app lets anyone remotely control smart home locks

A vulnerability in a smart access control system used in thousands of U.S. rental homes allows anyone...

Substack rival Ghost confirms it will join the fediverse in 2024

Ghost, an open-source rival to Substack’s newsletter platform, has confirmed it will this year officially join the...