A leaky database spilled 2FA codes for the world's tech giants | TechCrunch
techcrunch.com
An SMS routing company's exposed database was left online without a password, spilling 2FA codes and password reset links to the open web.

A security breach exposed two-factor authentication (2FA) codes/password reset links for millions of users on platforms like Facebook, Google, and TikTok.

Key Points:

  • YX International, an SMS routing company, left an internal database exposed online without a password.
  • The database contained one-time 2FA codes and password reset links for various tech giants.
  • YX International secured the database and claims to have “sealed the vulnerability.”
  • The company wouldn’t confirm how long the database was exposed or if anyone else accessed it.
  • Representatives from Meta, Google, and TikTok haven’t commented yet.

Concerns:

  • This leak highlights the vulnerabilities of SMS-based 2FA compared to app-based methods.
  • The lack of information regarding the leak’s duration and potential access by others raises concerns.

Gemini Recommendations:

  • Consider switching to app-based 2FA for increased security.
  • Be cautious of suspicious communications and avoid clicking unknown links.
  • Stay informed about potential security breaches affecting your online accounts.
  • NekuSoul@lemmy.nekusoul.deEnglish
    221·
    4 months ago

    Someone already explained it, but here’s a ranking of the different methods which are commonly used in terms of security, from bad to good:

    • No 2FA
    • SMS/Phone-based TOTP (TOTP = the normally 6 digit code)
    • App-based TOTP
    • Hardware-based TOTP
    • Hardware-token (Fido2/WebAuthn/Passkeys)
    • gapbetweenus@feddit.deEnglish
      1·
      4 months ago

      Thanks, what level would you recommend for an more or less average user? Would guess my most sensitive data are bank and google account.