Millions of 2FA security codes for Facebook, WhatsApp, and Google were exposed online.
Millions of users of Facebook, WhatsApp, TikTok, Google, and Facebook experienced a startling occurrence where their account security was compromised due to the release of an unencrypted database containing private two-factor authentication (2FA) security codes.
The event is seen as having the same seriousness as a full-scale data breach.
YX International, an Asian technology company that manufactures cellular networking equipment and routes SMS text messages, was held accountable for the error.
According to the firm, up to five million SMS messages are processed every day. The company did not even provide a password to secure the data, leaving it all accessible to the general public.
A cybersecurity researcher used merely the database’s IP address and a regular web browser to find the database.
Not long after learning about the problem, YX International took steps to safeguard the database. It’s unclear if the data in the database has already been misused.
Data like 2FA codes and URLs for password resets were contained in the database. The event emphasizes how crucial effective practices are for handling and safeguarding two-factor authentication.
It also encourages the use of more recent security mechanisms like passkeys, physical keys, and authentication applications. The increasing number of businesses attempting to shift their servers to the cloud without taking the necessary precautions with regard to authentication and encryption poses a serious hazard.
Is SMS the best option for 2FA security codes?
“One time passwords via SMS are a far safer option than relying on a password alone, but when threats are now multi-layered themselves, accounts need the strongest multi-layer protection themselves to stay secure,” according to Jake Moore, the global cybersecurity adviser at ESET.
Even more robust protection is provided by physical security keys, passkeys, and authenticator applications. Therefore, Moore says, “anyone left relying on passwords alone or using SMS 2FA codes might want to reconsider their original choice,” adding that “setting up security is now easier than ever.”
While the fact that 2FA codes were present in the erroneously setup and unsecured database in question shouldn’t worry consumers too much, there is still a lesson to be learned.