A tech company that routes millions of SMS text messages around the world leaked a public database of one-time security codes that could have given users access to their Facebook, Google and TikTok accounts. has been secured.
YX International, an Asian technology and internet company, manufactures mobile phone networking equipment and provides SMS text message routing services. SMS Routing helps users get time-critical text messages, such as receiving SMS security codes or links to log into online services, to the right destination across different regional cell networks and providers.
YX International claims to send 5 million SMS text messages every day.
However, the technology company left one of its internal databases exposed to the Internet without a password, allowing anyone who knew the database's public IP address to access sensitive internal data using only a web browser. I was able to do it.
Anurag SenHe discovered this database as a conscientious security researcher and expert in discovering sensitive but inadvertently exposed datasets leaked onto the internet. Sen shared details of the leaked database with TechCrunch to help identify the owner and report security flaws, as it was not clear who the database belonged to or who to report the breach to. said.
Sen told TechCrunch that the published database includes the content of text messages sent to users, including data from some of the world's largest tech and online companies, including Facebook, WhatsApp, Google, and TikTok. It said it included a one-time passcode and a password reset link.
The database had monthly logs going back to July 2023 and was growing in size by the minute.
Two-factor authentication (2FA) provides additional protection against online account hijacking that relies on password theft by sending an additional code to a trusted device, such as someone's phone. Two-factor codes and password resets, similar to those found in public databases, typically expire after a few minutes or once used.
However, codes sent via SMS text messages are not as secure as stronger forms of 2FA (such as app-based code generators). Because SMS text messages can be intercepted or leaked, or in this case, leaked out of the database. web.
TechCrunch discovered a set of internal email addresses and corresponding passwords associated with YX International in the leaked database and alerted the company to the breach. The database went offline after a while. A YX International representative, who declined to be named, responded shortly after saying the company had “locked this vulnerability.”
In response to questions from TechCrunch, a YX International representative said that there were no access logs stored on the server to determine whether anyone other than Sen discovered the exposed database and its contents.
YX International did not say how long the database had been open to the public.
Reached via email, a Meta spokesperson did not comment. Spokespeople for Google and TikTok did not respond to requests for comment.