A leaky database spilled 2FA codes for the world's tech giants | TechCrunch
techcrunch.com
An SMS routing company's exposed database was left online without a password, spilling 2FA codes and password reset links to the open web.

A security breach exposed two-factor authentication (2FA) codes/password reset links for millions of users on platforms like Facebook, Google, and TikTok.

Key Points:

  • YX International, an SMS routing company, left an internal database exposed online without a password.
  • The database contained one-time 2FA codes and password reset links for various tech giants.
  • YX International secured the database and claims to have “sealed the vulnerability.”
  • The company wouldn’t confirm how long the database was exposed or if anyone else accessed it.
  • Representatives from Meta, Google, and TikTok haven’t commented yet.

Concerns:

  • This leak highlights the vulnerabilities of SMS-based 2FA compared to app-based methods.
  • The lack of information regarding the leak’s duration and potential access by others raises concerns.

Gemini Recommendations:

  • Consider switching to app-based 2FA for increased security.
  • Be cautious of suspicious communications and avoid clicking unknown links.
  • Stay informed about potential security breaches affecting your online accounts.
  • @LastElemental@lemmy.worldEnglish
    34 months ago

    You can use TOTP 2FA on a browser too, there’s plugins for it. It’s not some super secret algorithm, smartphone apps are just the most common way of handling it. I suppose there’s progress to be made in terms of accessibility and education for the general public in terms of options for TOTP.

      • @harsh3466@lemmy.worldEnglish
        34 months ago

        That’s because Apple, as they love to do, decided to make their own special version of 2fa within their little garden.

        Y’know, instead of going with the accepted totp method.

    • @Wes_Dev@lemmy.mlEnglish
      14 months ago

      That’s a good point, and I do have some 2FA set up like that. The problem is I have to be logged into a computer, have a browser open, have the 2FA extension installed, and be able to copy and paste or type the code in before the timer expires.

      That’s not hard at home, but if I need to sign in to my bank account while at a library or anything like that, I’m screwed.

      I think SMS is popular because it’s so easy to reach the people that need the codes, regardless of platform. I just wish it wasn’t so bad security-wise, you know?