Exposed: The Risks of SMS-Based Two-Factor Authentication

Exposed: The Risks of SMS-Based Two-Factor Authentication
Why rely on one layer of security when you can have multiple layers? This is usually a solid approach, but even the best-laid plan carries risk.


Once a cornerstone of account security, SMS-based two-factor authentication (2FA) is starting to show its age and its vulnerabilities.

A striking example of this risk recently surfaced when a vast, exposed database filled with millions of 2FA codes was discovered online. Anyone with the right web address could have stumbled upon it.

Security researcher Anurag Sen found this publicly accessible database, which lacked even basic password protection. It was associated with YX International, an Asia-based company specializing in SMS messaging services, and contained a shocking amount of sensitive data – up to 5 million SMS messages per day. These messages included password reset links and 2FA codes for major platforms like Google, WhatsApp, Facebook, and TikTok.

While the exposed database stretched back to July 2023, the short-lived nature of 2FA codes might limit the possible fallout. However, imagine the potential chaos if a more recent database suffered a similar breach.

This incident reaveal the hidden dangers of SMS-based authentication and serves as a reminder that even seemingly secure systems may contain weak points.