Unsecured database exposes 2FA codes for Google, Meta and more

Database could be accessed with an internet connection and a public IP address

clock • 2 min read
Unsecured database exposes 2FA codes for tech giants
Image:

Unsecured database exposes 2FA codes for tech giants

Millions of users across platforms including Google, Facebook, WhatsApp and TikTok have been left vulnerable, sensitive two-factor authentication (2FA) codes and password reset links were left exposed online.

Anurag Sen, a security researcher known for his expertise in uncovering vulnerabilities, made the discovery.

Sen stumbled upon an unprotected database (without a password) on the internet containing SMS messages, including one-time passcodes and password reset links.

Uncertain about who owned the database, Sen sought assistance from TechCrunch to identify the responsible party and report the security breach.

TechCrunch's investigation uncovered sets of internal email addresses and passwords, linking the exposed database to YX International: an Asian company that specialises in cellular networks and providing essential routing services for time-sensitive messages.

TechCrunch found that the exposed database contained monthly logs dating back to July 2023, as well as sensitive information crucial for securing access to accounts on major platforms including Facebook, Google and TikTok.

The database could be accessed easily, requiring only an internet connection and a public IP address.

Two-factor authentication, hailed as a robust mechanism against unauthorised account access, relies on the secure transmission of codes to trusted devices. However, the use of SMS text messages introduces vulnerabilities.

Unlike more secure methods such as app-based code generators, SMS codes are susceptible to interception, leaving users exposed to potential breaches.

YX International secured the exposed database after receiving a notification from TechCrunch. A representative for the company acknowledged the breach, stating that the vulnerability had been fixed. However, details regarding the duration of the exposure, and whether unauthorised access occurred, remain undisclosed.

The representative mentioned that the server did not store access logs, which could have revealed whether anyone besides Sen had come across the exposed database and its contents.

YX International claims to process 5 million SMS texts daily.

Leaky or misconfigured databases exposing sensitive information about companies or people on the internet have become an all-too-common occurrence.

In December 2023, researchers stumbled upon a misconfigured MongoDB database linked to the LectureNotes leanring app, exposing the personal information of over two million users.

Also last year, a misconfigured link enabled public access to 38TB of Microsoft's confidential data from two employees' workstations, opening up the potential for injecting malicious code into Microsoft's AI models.

In 2020, Virgin Media admitted to a 10-month long data breach that occurred as a result of a misconfigured marketing database.

You may also like
US-based IP addresses seized control of Chinese systems to target Russia, Belarus and Ukraine, China says

Hacking

In 87 per cent of these attacks, the targets were Russian entities, according to Chinese officials

clock 14 March 2022 • 3 min read
Monzo bank customers targeted in new phishing campaign

Threats and Risks

The fraud collects a victim's email address, password and Monzo PIN - everything they need to compromise an account

clock 21 February 2022 • 3 min read

Privacy

The first version of the privacy policy mentioned sharing data with potential buyers, governments and law enforcement

clock 07 July 2021 • 2 min read

More on Threats and Risks

Unsecured database exposes 2FA codes for Google, Meta and more

Unsecured database exposes 2FA codes for Google, Meta and more

Database could be accessed with an internet connection and a public IP address

clock 03 March 2024 • 2 min read
Russian hackers exploit Ubiquiti routers in covert cyberattacks, FBI warns

Russian hackers exploit Ubiquiti routers in covert cyberattacks, FBI warns

Routers will not auto update firmware unless configured to do so

clock 03 March 2024 • 2 min read
Ivanti VPN malware can survive a factory reset, warns CISA

Ivanti VPN malware can survive a factory reset, warns CISA

'Assume a sophisticated threat actor may deploy rootkit level persistence'

John Leonard
clock 01 March 2024 • 2 min read