A security breach exposed two-factor authentication (2FA) codes/password reset links for millions of users on platforms like Facebook, Google, and TikTok.
Key Points:
- YX International, an SMS routing company, left an internal database exposed online without a password.
- The database contained one-time 2FA codes and password reset links for various tech giants.
- YX International secured the database and claims to have “sealed the vulnerability.”
- The company wouldn’t confirm how long the database was exposed or if anyone else accessed it.
- Representatives from Meta, Google, and TikTok haven’t commented yet.
Concerns:
- This leak highlights the vulnerabilities of SMS-based 2FA compared to app-based methods.
- The lack of information regarding the leak’s duration and potential access by others raises concerns.
Gemini Recommendations:
- Consider switching to app-based 2FA for increased security.
- Be cautious of suspicious communications and avoid clicking unknown links.
- Stay informed about potential security breaches affecting your online accounts.
It’s a great recommendation to use app-based 2FA, except that lots of services seem to insist on and only offer SMS OTP.
For instance out of all the financial establishments I do business with, only one offers the option. The big name players don’t, it’s only some tiny little mom & pop CU that does.
It’s very much a business adoption issue.
App-based is also unacceptable if it’s a proprietary implementation
TOTP/HOTP are the best standards right now
I like a combo of Yubikey and Bitwarden, personally.
Yeah, Yubikey fits - it implements TOTP/HOTP, and bitwarden is great
Just “app-based” worried me about apps rolling their own implementations instead of using standards
Not sure if you do business with them, but Charles Schwab does have a app-based MFA option - although that’s limited to Symantec’s own TOTP MFA.
A lot of sites say they only support one specific MFA app. But in my experience, any MFA app that can read the QR code will work.