Just when you thought two-factor authentication was enough to secure your online accounts, a troubling discovery shows how this system can be comprised, thanks to human error. TechCrunch reports that a database of text messages containing more than 26 million 2FA codes, password reset links, and delivery tracking details was left out in the open – and its recipients may have been compromised.
Security researcher Sébastien Kaul Kaul discovered the database – owned by a telephony firm called Voxox – on Shodan, a search engine for public databases. It was also attached to Voxox’s subdomain with an easily searchable frontend. You could use it to easily find phone numbers, names, and text messages.
Voxox provides SMS-based APIs that converts code into text messages to authenticate users. TechCrunch found that the exposed databased contained messages to authenticate phone numbers for Trivia HQ and Viber, verification codes for Huawei accounts, password reset codes for Microsoft accounts, Yahoo account keys, and Amazon shipping tracking links.
According to Dylan Katz, another security researcher who reviewed the findings, the data might have already been snapped up and used by malicious third parties.
The firm took the database down after TechCrunch contacted it. Voxox’s co-founder, Kevin Hertz, said in an email that the company is looking into the issue and evaluating the impact of the incident.
We have sent an email to the company to learn more and will update the post accordingly.
Exposed databases are a real concern for user privacy, especially for companies who handle sensitive information. Last week, we reported that American Express India’s database, with information about more than 700,000 of its cardholders, was publicly readable for more than five days in October.