A technology business that sends millions of SMS texts worldwide secured an exposed database. Leaking one-time security codes, potentially allowing users access to their Facebook, Google, and TikTok accounts.
According to YX International, 5 million SMS texts are sent every day
However, the IT company neglected to password-protect one of its internal databases. Making it possible for anybody with a web browser and the database’s public IP address to view important information.
Anurag Sen, a security researcher working in good faith and specializing in uncovering unintentionally accessible datasets spilling onto the internet, identified the database. Sen details of the exposed database in order to assist in identifying. Its owner and reporting the security breach, as it was unclear to Sen who the database belonged to or to whom to report the leak.
That the disclosed information included text message contents provided to users. This included one-time passcodes and links for changing passwords. If came from the world’s biggest tech and internet firms, including Google, Facebook, WhatsApp, TikTok, and others.
The database was expanding by the minute and contained monthly logs going all the way back to July 2023.
Enhanced security against password-based online account takeovers is provided by two-factor authentication (2FA), which involves sending a second code to a reliable device, like a person’s phone. Two-factor codes and password resets, similar to those in the public database, usually expire after a few minutes or once used.
However, as SMS text messages are vulnerable to interception or exposure—or, in this case leaking from a database onto the public web—codes generated using SMS text messages are not as secure as stronger kinds of 2FA, like an app-based code generator.
The discovery of sets of YX International-related internal email addresses and passwords in the compromised database led to notifying the company of the leak. The database went offline shortly after. A YX International representative, who remained anonymous, later stated that the company has “sealed this vulnerability.”
The YX International spokesperson added, in response to a question, that the server did not save access logs. Which would have shown whether anyone other than Sen found the unprotected database and its contents.
YX International declined to disclose the duration of the database’s exposure.
A Meta representative received an email, but they declined to comment. Google and TikTok spokespeople did not respond to requests for comment.