Unsecured database exposes 2FA codes for Google, Meta and more

Database could be accessed with an internet connection and a public IP address

Unsecured database exposes 2FA codes for tech giants

Image:

Unsecured database exposes 2FA codes for tech giants

Millions of users across platforms including Google, Facebook, WhatsApp and TikTok have been left vulnerable, sensitive two-factor authentication (2FA) codes and password reset links were left exposed online.

Anurag Sen, a security researcher known for his expertise in uncovering vulnerabilities, made the discovery.

Sen stumbled upon an unprotected database (without a password) on the internet containing SMS messages, including one-time passcodes and password reset links.

Uncertain about who owned the database, Sen sought assistance from TechCrunch to identify the responsible party and report the security breach.

TechCrunch's investigation uncovered sets of internal email addresses and passwords, linking the exposed database to YX International: an Asian company that specialises in cellular networks and providing essential routing services for time-sensitive messages.

TechCrunch found that the exposed database contained monthly logs dating back to July 2023, as well as sensitive information crucial for securing access to accounts on major platforms including Facebook, Google and TikTok.

The database could be accessed easily, requiring only an internet connection and a public IP address.

Two-factor authentication, hailed as a robust mechanism against unauthorised account access, relies on the secure transmission of codes to trusted devices. However, the use of SMS text messages introduces vulnerabilities.

Unlike more secure methods such as app-based code generators, SMS codes are susceptible to interception, leaving users exposed to potential breaches.

YX International secured the exposed database after receiving a notification from TechCrunch. A representative for the company acknowledged the breach, stating that the vulnerability had been fixed. However, details regarding the duration of the exposure, and whether unauthorised access occurred, remain undisclosed.

The representative mentioned that the server did not store access logs, which could have revealed whether anyone besides Sen had come across the exposed database and its contents.

YX International claims to process 5 million SMS texts daily.

Leaky or misconfigured databases exposing sensitive information about companies or people on the internet have become an all-too-common occurrence.

In December 2023, researchers stumbled upon a misconfigured MongoDB database linked to the LectureNotes leanring app, exposing the personal information of over two million users.

Also last year, a misconfigured link enabled public access to 38TB of Microsoft's confidential data from two employees' workstations, opening up the potential for injecting malicious code into Microsoft's AI models.

In 2020, Virgin Media admitted to a 10-month long data breach that occurred as a result of a misconfigured marketing database.