Two-factor authentication, or 2FA as it’s more popularly known, has long been touted as one of the best layers of defense against data breaches. Unfortunately, a recent discovery of a database filled with millions of 2FA codes by a security researcher has raised serious concerns about the method’s effectiveness.
Security experts have long warned against relying solely on SMS messages for two-factor authentication codes because of how easy it is to intercept them. There are many other alternatives, such as authenticator apps and passkeys, which are much more secure.
The database that was discovered contains 2FA codes and password reset links for sites like Facebook, TikTok, Google, and WhatsApp.
Here’s a detailed look at the events that have transpired.
Unprotected Database Exposes Millions of SMS 2FA Codes
The database was found by a security researcher named Anurag Sen. It belonged to YX International, an Asian company that provides SMS text message routing services. The database, which was accessible to anyone on the Internet without a password, contained millions of SMS messages, including password reset links and 2FA codes for major companies like Google, WhatsApp, Facebook, and TikTok.
YX International’s database receives over 5 million SMS messages every day. That’s why it’s such a huge risk to rely on SMS messages for 2FA. Fortunately, the company quickly secured it as soon as they were notified.
More Secure Authentication Methods Should be Used
While the exposure of 2FA codes in this database does not pose a significant risk, as they expire quickly, it does reinforce the argument for using more secure authentication methods whenever possible.
Luckily, there are a large range of options available which are safer than SMS-based 2FA. These options include authenticator apps, physical security keys, and passkeys.
Keep in mind, however, that these methods aren’t fully secure, either. Passkeys, for example, could be vulnerable to session hijacking attacks, where malware steals session cookies, allowing attackers to bypass authentication processes.
How Can You Reduce the Risk of Having Your Data Exposed?
To mitigate these risks, there are a number of steps you can take. For example, you can revoke permissions for unused devices or applications, restrict session timeouts, and avoid the "remember me" option on new websites.
Another thing you should do is use app- or hardware-based tokens for multi-factor authentication whenever possible, as they are more secure than SMS or email-based methods.
But That’s Not All
As authentication methods continue to evolve, security teams must adopt a multi-layered approach to combat emerging threats. The YX International database leak serves as a reminder that SMS-based 2FA, while better than relying solely on passwords, should be phased out in favor of more robust and secure options.
Authenticator apps, passkeys, and physical security keys are all more reliable than SMS-based 2FA, but these methods have their flaws.