2FA security codes for some of the world’s biggest companies were left unprotected online

(Image credit: Shutterstock / Ico Maker)

A company that handles SMS text message routing has secured one of its internal databases after discovering it could be accessed with nothing more than an internet connection and a public IP address.

The routing service handled time-sensitive messages used for one-time passcodes and reset links for two-factor authentication services (2FA).

2FA provides a secure method of identity and access management that is more secure than using just a password, and can help protect vulnerable networks.

 Sealing the leak

The vulnerable database was discovered by good samaritan Anurag Sen, who is a security expert and researcher. Sen, upon discovering the database and being unable to trace its owner, reported the database to TechCrunch.

TechCrunch managed to identify a number of corresponding email addresses and passwords within the database that contained information hinting to the leaking database’s owner.

The database belonged to YX International, a company that specializes in cellular networks, and provides critical routing services for time-sensitive messages. YX International took down the database shortly after being notified, and then released a statement that the vulnerability had been fixed.

The database was responsible for handling one-time access codes for Facebook, Google and TikTok accounts, and there is no evidence that any data was stolen because the database did not retain access logs. Evidence within the database suggested that it has been active since July 2023, but YX International did not confirm how long the database had been left unsecured.

Sen told TechCrunch that the database held password reset links, alongside the one time access codes, for tech and social media giants such as Google and WhatsApp. While one-time access codes provide a superior level of security over just using a password, they are not as secure as dedicated 2FA and multi-factor authentication applications.

More from TechRadar Pro

Benedict Collins
Staff Writer (Security)

Benedict Collins is a Staff Writer at TechRadar Pro covering privacy and security. Before settling into journalism he worked as a Livestream Production Manager, covering games in the National Ice Hockey League for 5 years and contributing heavily to the advancement of livestreaming within the league. Benedict is mainly focused on security issues such as phishing, malware, and cyber criminal activity, but he also likes to draw on his knowledge of geopolitics and international relations to understand the motives and consequences of state-sponsored cyber attacks.

He has a MA in Security, Intelligence and Diplomacy, alongside a BA in Politics with Journalism, both from the University of Buckingham. His masters dissertation, titled 'Arms sales as a foreign policy tool,' argues that the export of weapon systems has been an integral part of the diplomatic toolkit used by the US, Russia and China since 1945. Benedict has also written about NATO's role in the era of hybrid warfare, the influence of interest groups on US foreign policy, and how reputational insecurity can contribute to the misuse of intelligence.

Outside of work Ben follows many sports; most notably ice hockey and rugby. When not running or climbing, Ben can most often be found deep in the shrubbery of a pub garden.