2FA security codes for some of the world’s biggest companies were left unprotected online

Security
(Image credit: Shutterstock / Ico Maker)

A company that handles SMS text message routing has secured one of its internal databases after discovering it could be accessed with nothing more than an internet connection and a public IP address.

The routing service handled time-sensitive messages used for one-time passcodes and reset links for two-factor authentication services (2FA).

2FA provides a secure method of identity and access management that is more secure than using just a password, and can help protect vulnerable networks.

 Sealing the leak

The vulnerable database was discovered by good samaritan Anurag Sen, who is a security expert and researcher. Sen, upon discovering the database and being unable to trace its owner, reported the database to TechCrunch.

TechCrunch managed to identify a number of corresponding email addresses and passwords within the database that contained information hinting to the leaking database’s owner.

The database belonged to YX International, a company that specializes in cellular networks, and provides critical routing services for time-sensitive messages. YX International took down the database shortly after being notified, and then released a statement that the vulnerability had been fixed.

The database was responsible for handling one-time access codes for Facebook, Google and TikTok accounts, and there is no evidence that any data was stolen because the database did not retain access logs. Evidence within the database suggested that it has been active since July 2023, but YX International did not confirm how long the database had been left unsecured.

Sen told TechCrunch that the database held password reset links, alongside the one time access codes, for tech and social media giants such as Google and WhatsApp. While one-time access codes provide a superior level of security over just using a password, they are not as secure as dedicated 2FA and multi-factor authentication applications.

More from TechRadar Pro

TOPICS
Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

Read more
A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.
A top online gift card store may have exposed private data on hundreds of thousands of users
Cartoon Phishing
One of the largest data leaks ever sees info on 1.5 billion people leaked online
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
This widely-used instant loan app leaks nearly 30 million files of user data
A graphic showing fleet tracking locations over a city.
Disability monitoring tool leaked personal information online
Thousands of misconfigured building access systems have been leaked online
Data leak
Popular online bill paying site leaks data of thousands of users
Latest in Pro
An image of network security icons for a network encircling a digital blue earth.
Why multi-CDNs are going to shake up 2025
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Millwall FC The Den
The UK's first football club mobile network is here - but you probably won't guess which team has launched it
Google Chrome
Google Chrome security flaw could have let hackers spy on all your online habits
Latest in News
Xbox Series X and Xbox wireless controller set to a green background
Xbox Insiders are currently testing a new Game Hub feature that looks useful, but I've got mixed feelings about it
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Microsoft Surface Laptop and Surface Pro devices on a table.
Hate Windows 11’s search? Microsoft is fixing it with AI, and that almost makes me want to buy a Copilot+ PC
Oura Ring 4
Activity tracking on Oura Ring is about to get a whole lot better, but I've got bad news about your step count
Google Pixel Buds Pro 2
Cleaned your Pixel Buds Pro 2 recently? If not, you might be getting worse sound
Google Maps on a phone being held in someone's hand
Google Maps is getting two key upgrades, for easier route planning and quicker access to Gemini AI