In a shocking incident, millions of Google, Facebook, TikTok and WhatsApp users had the security of their accounts compromised following the leak of an unsecured database that contained private two-factor authentication 2FA security codes.
The incident is considered the same severity as a complete data breach.
The error was attributed to YX International, an Asia-based technology company responsible for routing SMS text messages and producing cellular networking equipment.
The company claims to process up to five million SMS messages daily. The firm left the entire data open to public access without even a password for protection.
The database was detected by a cybersecurity researcher using just the IP address of the database using a standard web browser.
YX International secured the database soon after being contacted about the issue. Whether the information in the database was already exploited is yet to be clear.
The database included data such as 2FA codes and password reset links. The incident highlights the importance of best practices in securing and processing two-factor authentication.
It also pushes the adoption of newer security measures such as authentication apps, passkeys, and physical keys. The threat is considerable, with the growing number of companies seeking to move their servers to the cloud without adequate encryption and authentication measures.
Should you use SMS for 2FA security codes?
Jake Moore, the global cybersecurity advisor at ESET, told me that “one time passwords via SMS are a far safer option than relying on a password alone but when threats are now multi layered themselves, accounts need the strongest multi layer protection themselves to stay secure.”
Passkeys, authenticator apps and physical security keys all offer even more secure protection. “So, when setting up security is now easier than ever,” Moore continues “anyone left relying on passwords alone or using SMS 2FA codes might want to reconsider their original choice.”
Although users don’t need to be too concerned that 2FA codes were included in the misconfigured and unprotected database in question, that doesn’t mean it’s not a lesson to be learned.
This post was originally published on 3rd party site mentioned in the title of this site
