Join us at TNW Conference 2022 for insights into the future of tech →

The heart of tech

This article was published on November 16, 2018

2FA codes are great for security, except when 26M of them are leaked

2FA codes are great for security, except when 26M of them are leaked Image by: Pxhere
Ivan Mehta
Story by

Ivan Mehta

Ivan covers Big Tech, India, policy, AI, security, platforms, and apps for TNW. That's one heck of a mixed bag. He likes to say "Bleh." Ivan covers Big Tech, India, policy, AI, security, platforms, and apps for TNW. That's one heck of a mixed bag. He likes to say "Bleh."

Just when you thought two-factor authentication was enough to secure your online accounts, a troubling discovery shows how this system can be comprised, thanks to human error. TechCrunch reports that a database of text messages containing more than 26 million 2FA codes, password reset links, and delivery tracking details was left out in the open – and its recipients may have been compromised.

Security researcher Sébastien Kaul Kaul discovered the database – owned by a telephony firm called Voxox – on Shodan, a search engine for public databases. It was also attached to Voxox’s subdomain with an easily searchable frontend. You could use it to easily find phone numbers, names, and text messages.

Voxox provides SMS-based APIs that converts code into text messages to authenticate users. TechCrunch found that the exposed databased contained messages to authenticate phone numbers for Trivia HQ and Viber, verification codes for Huawei accounts, password reset codes for Microsoft accounts, Yahoo account keys, and Amazon shipping tracking links.

According to Dylan Katz, another security researcher who reviewed the findings, the data might have already been snapped up and used by malicious third parties.

The firm took the database down after TechCrunch contacted it. Voxox’s co-founder, Kevin Hertz, said in an email that the company is looking into the issue and evaluating the impact of the incident.

We have sent an email to the company to learn more and will update the post accordingly.

Exposed databases are a real concern for user privacy, especially for companies who handle sensitive information. Last week, we reported that American Express India’s database, with information about more than 700,000 of its cardholders, was publicly readable for more than five days in October.

Published
Back to top