A leaky database spilled 2FA codes for the world’s tech giants
A technology company that routes millions of SMS text messages across the world has secured an exposed database that was spilling one-time security codes that may have granted users’ access to their Facebook, Google and TikTok accounts.
The Asian technology and internet company YX International manufactures cellular networking equipment and provides SMS text message routing services. SMS routing helps to get time-critical text messages to their proper destination across various regional cell networks and providers, such as a user receiving an SMS security code or link for logging in to online services.
YX International claims to send 5 million SMS text messages daily.
But the technology company left one of its internal databases exposed to the internet without a password, allowing anyone to access the sensitive data inside using only a web browser, just with knowledge of the database’s public IP address.
Anurag Sen, a good-faith security researcher and expert in discovering sensitive but inadvertently exposed datasets leaking to the internet, found the database. Sen said it was not apparent who the database belonged to, nor who to report the leak to, so Sen shared details of the exposed database with TechCrunch to help identify its owner and report the security lapse.
Sen told TechCrunch that the exposed database included the contents of text messages sent to users, including one-time passcodes and password reset links for some of the world’s largest tech and online companies, including Facebook and WhatsApp, Google, TikTok, and others.
The database had monthly logs dating back to July 2023 and was growing in size by the minute.
Two-factor authentication (2FA) offers greater protection against online account hijacks that rely on password theft by sending an additional code to a trusted device, such as someone’s phone. Two-factor codes and password resets, like the ones found in the exposed database, typically expire after a few minutes or once they are used.
But codes sent over SMS text messages are not as secure as stronger forms of 2FA — an app-based code generator, for example — since SMS text messages are prone to interception or exposure, or in this case, leaking from a database onto the open web.
In the exposed database, TechCrunch found sets of internal email addresses and corresponding passwords associated with YX International, and alerted the company to the spilling database. The database went offline a short time later. A representative for YX International, who did not provide their name, responded soon after saying the company “sealed this vulnerability.”
When asked by TechCrunch, the YX International representative said that the server did not store access logs, which would have determined if anyone other than Sen discovered the exposed database and its contents.
YX International would not say for how long the database was exposed.
When reached by email, a Meta spokesperson did not comment. Spokespeople for Google and TikTok did not respond to requests for comment.