2FA codes are great for security, except when 26M of them are leaked
Just when you thought two-factor authentication was enough to secure your online accounts, a troubling discovery shows how this system can be comprised, thanks to human error. TechCrunch reports that a database of text messages containing more than 26 million 2FA codes, password reset links, and delivery tracking details was left out in the open – and its recipients may have been compromised.
Security researcher Sébastien Kaul Kaul discovered the database – owned by a telephony firm called Voxox – on Shodan, a search engine for public databases. It was also attached to Voxox’s subdomain with an easily searchable frontend. You could use it to easily find phone numbers, names, and text messages.
Voxox provides SMS-based APIs that converts code into text messages to authenticate users. TechCrunch found that the exposed databased contained messages to authenticate phone numbers for Trivia HQ and Viber, verification codes for Huawei accounts, password reset codes for Microsoft accounts, Yahoo account keys, and Amazon shipping tracking links.
According to Dylan Katz, another security researcher who reviewed the findings, the data might have already been snapped up and used by malicious third parties.
The firm took the database down after TechCrunch contacted it. Voxox’s co-founder, Kevin Hertz, said in an email that the company is looking into the issue and evaluating the impact of the incident.
Source: The Next Web
To Read Our Daily News Updates, Please visit Inventiva or Subscribe Our Newsletter & Push.