Database leak reveals 2FA codes for global tech giants

The Asian technology and internet company YX International manufactures cellular networking equipment and provides SMS text message routing services. YX International claims to send five million SMS text messages daily. But codes sent over SMS text messages are not as secure as stronger forms of 2FA, such as an app-based code generator, since SMS text messages are prone to interception or exposure — or in this case, leaking from a database onto the open web. TechCrunch found in the exposed database sets of internal email addresses and corresponding passwords associated with YX International, and alerted the company to the spilling database. YX International would not say for how long the database was exposed.

A technology company specializing in cellular networking equipment and SMS text message routing services has recently experienced a security lapse that may have impacted its users’ online accounts.

The internal database of the Asian technology and internet company, YX International, was found to be exposed, potentially revealing sensitive information that could grant access to popular online services like Facebook, Google, and TikTok.

The company, known for sending an impressive five million SMS text messages every day, offers a crucial service in getting time-sensitive messages to their intended recipients, such as one-time security codes or login links for various online platforms.

However, a security researcher named Anurag Sen stumbled upon the unsecured database, which was accessible to anyone with the knowledge of its public IP address and a standard web browser. Sen, who specializes in finding unintentionally exposed data sets on the internet, shared his discovery with TechCrunch in hopes of identifying the database’s owner and resolving the issue.

According to Sen, the database contained a wealth of information, including the contents of text messages sent to users, such as one-time passwords and password reset links for major tech companies like Facebook, WhatsApp, and Google, as well as popular social media app TikTok. The database also contained monthly logs dating back to 2023 and was continuously growing in size.

One of the primary concerns with the exposed database is the potential risk to 2FA, or two-factor authentication, which offers added security for online accounts by requiring an additional code to be entered, typically sent to a trusted device such as a phone. However, when it comes to SMS text messages, this form of 2FA is not foolproof, as messages are susceptible to interception or exposure, as demonstrated in this case.

Upon learning about the exposed database, TechCrunch also discovered sets of internal email addresses and corresponding passwords for YX International employees. The company was alerted to the issue, and the database was promptly taken offline. A YX International representative, choosing not to disclose their name, confirmed that the vulnerability had been addressed.

An interesting detail in this incident is that the YX International representative claimed that the server did not keep access logs, which would have shown if anyone other than Sen had accessed the database and its contents. As of now, it remains unknown how long the database was left exposed.

When contacted for comment, representatives for Meta, Google, and TikTok declined to respond.

Avatar photo
Dylan Williams

Dylan Williams is a multimedia storyteller with a background in video production and graphic design. He has a knack for finding and sharing unique and visually striking stories from around the world.

Articles: 874

Leave a Reply

Your email address will not be published. Required fields are marked *