A security breach exposed two-factor authentication (2FA) codes/password reset links for millions of users on platforms like Facebook, Google, and TikTok.
Key Points:
- YX International, an SMS routing company, left an internal database exposed online without a password.
- The database contained one-time 2FA codes and password reset links for various tech giants.
- YX International secured the database and claims to have “sealed the vulnerability.”
- The company wouldn’t confirm how long the database was exposed or if anyone else accessed it.
- Representatives from Meta, Google, and TikTok haven’t commented yet.
Concerns:
- This leak highlights the vulnerabilities of SMS-based 2FA compared to app-based methods.
- The lack of information regarding the leak’s duration and potential access by others raises concerns.
Gemini Recommendations:
- Consider switching to app-based 2FA for increased security.
- Be cautious of suspicious communications and avoid clicking unknown links.
- Stay informed about potential security breaches affecting your online accounts.
Aegis Authenticator, in case someone was wondering what to use
I still use Authy, I know it’s frowned upon in the privacy community but it’s worked well enough for me so far. With them shutting down their desktop app though I see no reason not to switch to Aegis at some point in the near future. Just a pain in the backside setting it all up again as Authy doesn’t let you export your 2FA.
Authy was fantastic, I don’t know why it would be frowned on; they thought through security very carefully.
That said, I recently transitioned everything to 1password TOTP or passkey; Authy is killing its desktop app.