Early bird prices are coming to an end soon... ⏰ Grab your tickets before January 17

This article was published on November 16, 2018

2FA codes are great for security, except when 26M of them are leaked


2FA codes are great for security, except when 26M of them are leaked Image by: Pxhere

Just when you thought two-factor authentication was enough to secure your online accounts, a troubling discovery shows how this system can be comprised, thanks to human error. TechCrunch reports that a database of text messages containing more than 26 million 2FA codes, password reset links, and delivery tracking details was left out in the open – and its recipients may have been compromised.

Security researcher Sébastien Kaul Kaul discovered the database – owned by a telephony firm called Voxox – on Shodan, a search engine for public databases. It was also attached to Voxox’s subdomain with an easily searchable frontend. You could use it to easily find phone numbers, names, and text messages.

Voxox provides SMS-based APIs that converts code into text messages to authenticate users. TechCrunch found that the exposed databased contained messages to authenticate phone numbers for Trivia HQ and Viber, verification codes for Huawei accounts, password reset codes for Microsoft accounts, Yahoo account keys, and Amazon shipping tracking links.

According to Dylan Katz, another security researcher who reviewed the findings, the data might have already been snapped up and used by malicious third parties.

The firm took the database down after TechCrunch contacted it. Voxox’s co-founder, Kevin Hertz, said in an email that the company is looking into the issue and evaluating the impact of the incident.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

We have sent an email to the company to learn more and will update the post accordingly.

Exposed databases are a real concern for user privacy, especially for companies who handle sensitive information. Last week, we reported that American Express India’s database, with information about more than 700,000 of its cardholders, was publicly readable for more than five days in October.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Published
Back to top