Friday, 4 April 2025
27.2 C
Singapore
28.1 C
Thailand
20.3 C
Indonesia
26.9 C
Philippines

A massive security breach: Millions of 2FA codes leaked

Significant security breach where YX International's database leak compromised millions of 2FA codes from major tech firms.

YX International, an Asian tech giant known for its extensive SMS routing services, inadvertently exposed a database containing millions of sensitive text messages. This breach, discovered by security researcher Anurag Sen, compromised the integrity of two-factor authentication (2FA) codes belonging to several major technology companies, including Facebook, Google, and TikTok.

How the breach happened

Imagine a scenario where a database, filled with critical information, is left unguarded on the internet. That’s precisely what happened with YX International. Their internal database, which robust security measures should have shielded, was left open without password protection. This oversight meant anyone with knowledge of the database’s public IP address could access this sensitive data through a web browser.

YX International, a firm boasting the dispatch of 5 million SMS texts daily, failed to secure this database, resulting in a serious security lapse. The database logs, dating back to July 2023, contained one-time passcodes and password reset links for users of some of the world’s most prominent tech firms.

The implications of the leak

You might be wondering how severe this breach is. Two-factor authentication is a widely adopted security measure that sends an additional code to a trusted device, like your phone, to prevent account hijacks. However, the codes found in the leaked database, which are meant to expire after a few minutes or once used, pose a significant risk. The SMS-based 2FA, although convenient, is not as secure as other forms like app-based code generators. This incident highlights the vulnerability of relying on SMS for critical security functions.

When TechCrunch, the news outlet Sen contacted, delved into the exposed database, they discovered the 2FA codes, internal email addresses, and passwords associated with YX International. This breach was reported to the company, leading to the database being offline shortly after that. However, YX International could not confirm the duration the database was exposed or whether any malicious parties accessed the sensitive data.

Tech giant’s response to the breach

Following this discovery, TechCrunch reached out to the affected companies for comments. While a Meta spokesperson chose not to comment, representatives from Google and TikTok did not respond to the requests. YX International acknowledged the vulnerability and claimed to have “sealed” it, yet they could not provide logs to ascertain if others had accessed the data.

This incident is a stark reminder of the fragility of digital security and the importance of robust data protection measures. It highlights the need for continuous vigilance and improvement in cybersecurity protocols for large corporations and all who rely on digital platforms for their daily operations.

Hot this week

Apple prepares for M5 iPad Pro and MacBook Pro release

Apple is set to launch the M5 iPad Pro and MacBook Pro in late 2024, with the M6 models expected to introduce an in-house modem in 2027.

Zelle is removing its stand-alone app

Zelle is shutting down its stand-alone app, but you can still use the service through your bankโ€™s app. Hereโ€™s what you need to know.

Nothing Phone (3a) Pro review: A mid-range marvel with standout zoom

Nothing Phone (3a) Pro blends standout design, powerful zoom camera, and smart features, making it a top choice in the mid-range segment.

Instagram introduces new speed-up feature for Reels

Instagram now lets you watch Reels at double speed, just like TikTok. The new feature helps you get through longer videos faster and easier.

Roblox introduces new parental controls to enhance child safety

Roblox introduces new parental controls, allowing parents to block games, restrict friends, and monitor their childโ€™s activity for better safety.

Spotify introduces AI-powered ads and programmatic ad buying

Spotify unveils AI-powered ads and the Spotify Ad Exchange, making it easier for advertisers to reach Gen Z listeners with real-time bidding.

YouTube expands shopping affiliate programme in Singapore through Shopee partnership

YouTube teams up with Shopee to launch its Shopping affiliate programme in Singapore, giving creators new ways to monetise their content.

Misconceptions about STEM careers continue to deter young women in Singapore

New research shows stereotypes and lack of support are deterring young women from STEM careers, posing a risk to Singaporeโ€™s innovation goals.

Synagie and HKT launch ShopHK to help Hong Kong brands expand into Southeast Asia

Synagie and HKT launch ShopHK, helping Hong Kong SMEs tap into Southeast Asia's booming US$600 billion e-commerce market.

Related Articles