- SMS routing helps to get time-critical text messages to their proper destination across various regional cell networks and providers, such as a user receiving an SMS security code or link for logging in to online services.
- Codes sent over SMS text messages are not as secure as stronger forms of 2FA — an app-based code generator
YX International, which specializes in manufacturing cellular networking equipment and providing SMS text message routing services, has been found to have left an internal database exposed to the internet without a password. The database contained sensitive information, including one-time security codes that could potentially grant access to users’ Facebook, Google, and TikTok accounts.
Exposed database and collaborates with TechCrunch
YX International reportedly sends out a staggering 5 million SMS text messages daily. However, this exposure posed a significant security risk, as it allowed unfettered access to the contents of text messages sent to users, including one-time passcodes and password reset links for major tech and online companies like Facebook, WhatsApp, Google, and TikTok.
Anurag Sen, a reputable security researcher, discovered the exposed database and shared the details with TechCrunch to help identify its owner and report the security lapse. The database, which had monthly logs dating back to July 2023, was continuously growing in size, potentially exposing a vast amount of sensitive information.
Also read: How to enhance cybersecurity after the Australian State Court database breach?
SMS-based 2FA security concerns
This incident raises concerns about the security of SMS-based two-factor authentication (2FA), which is designed to provide an additional layer of protection against account hijacking. While 2FA codes sent via SMS are commonly used, they are not as secure as other forms of 2FA, such as app-based code generators, as they are susceptible to interception or exposure.
Upon TechCrunch’s discovery of the exposed database, sets of internal email addresses and corresponding passwords associated with YX International were also found. After alerting the company, the database was promptly taken offline, and a representative for YX International stated that the vulnerability had been addressed.
Also read: Singapore NTU and Ocean Base to improve database systems
The duration of the exposure and unauthorized access
Questions remain regarding the duration of the database exposure and whether unauthorized access may have occurred. The company’s response, particularly regarding the absence of access logs on the server, leaves uncertainty about the extent of the potential data breach.
This incident underscores the critical importance of robust security measures, especially for companies handling sensitive user data and communications. In an era of increasing cybersecurity threats and data breaches, it is imperative for organizations to prioritize the safeguarding of user information and promptly address any vulnerabilities that could compromise data integrity and privacy.
When approached for comment, representatives from Meta, Google, and TikTok did not respond to requests for input on the matter, highlighting the need for greater transparency and accountability from tech companies in addressing data security incidents.
