A security breach exposed two-factor authentication (2FA) codes/password reset links for millions of users on platforms like Facebook, Google, and TikTok.
Key Points:
- YX International, an SMS routing company, left an internal database exposed online without a password.
- The database contained one-time 2FA codes and password reset links for various tech giants.
- YX International secured the database and claims to have “sealed the vulnerability.”
- The company wouldn’t confirm how long the database was exposed or if anyone else accessed it.
- Representatives from Meta, Google, and TikTok haven’t commented yet.
Concerns:
- This leak highlights the vulnerabilities of SMS-based 2FA compared to app-based methods.
- The lack of information regarding the leak’s duration and potential access by others raises concerns.
Gemini Recommendations:
- Consider switching to app-based 2FA for increased security.
- Be cautious of suspicious communications and avoid clicking unknown links.
- Stay informed about potential security breaches affecting your online accounts.
It’s a great recommendation to use app-based 2FA, except that lots of services seem to insist on and only offer SMS OTP.
For instance out of all the financial establishments I do business with, only one offers the option. The big name players don’t, it’s only some tiny little mom & pop CU that does.
It’s very much a business adoption issue.
App-based is also unacceptable if it’s a proprietary implementation
TOTP/HOTP are the best standards right now
I like a combo of Yubikey and Bitwarden, personally.
Yeah, Yubikey fits - it implements TOTP/HOTP, and bitwarden is great
Just “app-based” worried me about apps rolling their own implementations instead of using standards
Not sure if you do business with them, but Charles Schwab does have a app-based MFA option - although that’s limited to Symantec’s own TOTP MFA.
A lot of sites say they only support one specific MFA app. But in my experience, any MFA app that can read the QR code will work.
It’s infuriating that my bank still uses SMS 2FA.
It’s a circus out there…
One of my financial institutions supports yubikeys, but does not have the option to turn off sms 2fa. A chain is as strong as the weakest link, as usual.
Another only has sms 2fa and bizarrely allows me to specify any phone number at login time to receive the code. WTF?
Most only have 2fa via sms. When you talk about using an authenticator app people bitch and moan because they have to cut and paste those digits into the login page. Oh, the humanity…
Don’t even get me started on sites with “roll your own” schemes, like forcing you to install their app (which requires all permissions under the sun) just to accept a push message and allow you to login on their website.
Mine uses SMS 2FA AND had a 16-character password limit. I need to switch banks already. Any suggestions for a decent bank or credit union that uses modern password cryptography and app-based TOTP?
SMS 2FA is dumb, but I thought 16 characters are okay right now. Does the bank have too many password mistakes will block you for a certain time period enabled?
They’re good as long as there aren’t any limits on characters you can use.
Some people like to use passphrases. But honestly, the gold standard is a password manager with randomized strings.
oh so even this bullshit that’s 20 times more annoying isn’t secure? good good
Aegis Authenticator, in case someone was wondering what to use
I still use Authy, I know it’s frowned upon in the privacy community but it’s worked well enough for me so far. With them shutting down their desktop app though I see no reason not to switch to Aegis at some point in the near future. Just a pain in the backside setting it all up again as Authy doesn’t let you export your 2FA.
Authy was fantastic, I don’t know why it would be frowned on; they thought through security very carefully.
That said, I recently transitioned everything to 1password TOTP or passkey; Authy is killing its desktop app.
