Exposed database leaked 2FA SMS messages for large tech firms

TechCrunch reports that security researcher Anurag Sen has discovered an exposed database belonging to Asian technology and internet firm YX International that was leaking the contents of SMS messages sent to users, including one-time passcodes and links for password resetting for major technology and online firms including Google, Facebook, WhatsApp, and TikTok.

YX reportedly left the internal database unprotected without a password, which allowed anyone with knowledge of the database's public IP address to access the sensitive information using only a web browser. Initially, it was unclear who owned the database or to whom to report the incident, so Sen sought the help of TechCrunch to find the database's owner and report the security lapse. TechCrunch looked at the exposed database and discovered sets of internal email addresses and passwords linked to YX, which claims to route 5 million SMS text messages daily. TechCrunch alerted the tech firm about the exposed database, and shortly after, the database went offline. A YX representative soon responded that the firm had already sealed the vulnerability, but would not confirm how long the database was exposed.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.