Researcher found millions 2FA codes spilling online for tech giants


Millions of two-factor authentication (2FA) codes, sent as SMS messages by tech giants, were being leaked online to anyone without any authentication, a security researcher Anurag Sen found.

“Secured an exposed database that was spilling one-time security codes that may have granted users’ access to their Facebook, Google, TikTok US, Airbnb accounts,” Sen tweeted after sharing his findings with TechCrunch.

Sen found a leaking internet expose database belonging to YX International, an SMS routing service that claims to send 5 million SMS text messages daily. SMS routing helps users get time-critical text messages for logging in to online services to their proper destination across networks and providers.

The database was left without a password, and anyone could access the sensitive data only using a web browser and some knowledge of the database’s public IP addresses.

Sen told TechCrunch that the exposed database was growing in size every minute, had monthly logs dating back to July 2023, and included the contents of text messages sent to users, including one-time passcodes and password reset links for some of the world’s largest tech and online companies.

TechCrunch found sets of internal email addresses and corresponding passwords associated with YX International, and a representative for the company responded soon, saying they “sealed this vulnerability.”

Security experts often advise choosing methods other than SMS for two-factor authentication. Text messages are vulnerable to interception or compromise and lack encryption.