See More

Hacker Exposes Leak of Two-Factor Authentication Codes

2 mins
Updated by Ali M.
Join our Trading Community on Telegram

In Brief

  • A security researcher recently revealed that a database containing two-factor SMS authentication codes for big companies was publicly exposed.
  • The data related to a service used by Google, Meta, and TikTok, to send SMSes containing authentication codes to users as quickly as possible.
  • These two-factor crimes have taken many forms recently, from hacking a person's iCloud to stealing their phone number to bypassing encryption.
  • promo

A security researcher has discovered an unprotected database governing access to services from some of the world’s biggest tech companies. The database belongs to a short message service (SMS) routing operator responsible for sending two-factor authentication (2FA) codes to users of Meta, Google, and possibly crypto firms.

The researcher, Anurag Sen, found that the company’s YX International database was exposed without a password on the public internet. Anyone who knew the public internet protocol (IP) address could view the data.

Users Affected by Two-Factor Authentication Leak

YX International sends security codes to people logging into platforms belonging to Meta, Google, and TikTok. The company ensures that users’ messages are routed speedily through mobile networks across the globe. Among the messages it sends are security codes that form part of a two-factor authentication scheme many large companies use to protect user accounts.

Some service providers, like Google, can send an SMS code to verify a user’s authenticity after entering a password. Other authentication options include generating a code from an authenticator app to complement a password.

Read more: 15 Most Common Crypto Scams To Look Out For

google 2fa sms
Red Box Shows Weak Point of SMS 2FA Authentication | Source: All Things Auth

While two-factor authentication seeks to improve security, it is not a silver bullet. Accordingly, crypto exchange Coinbase warns that 2FA is a minimum security measure, but it is not foolproof. Hackers can still find a way to steal funds from crypto wallets.

“While 2FA seeks to improve security, it is not foolproof. Hackers who acquire the authentication factors can still gain unauthorized access to accounts. Common ways to do so include phishing attacks, account recovery procedures, and malware. Hackers can also intercept text messages used in 2FA,” Coinbase said.

Criminals Are Using These Methods to Beat 2FA

Last year, reports of criminals bypassing 2FA on Apple devices emerged. A hacker could access Apple’s cloud platform, iCloud, and replace a user’s phone number with their own. The scheme risked the funds in crypto wallet apps on Apple devices since some applications could have sent authentication codes to compromised phone numbers.

Criminals can also use SIM swaps to enact two-factor authentication crypto scams. In this line of attack, criminals convince mobile operators like AT&T or Verizon to transfer a phone number from the rightful owner to the fraudster. After that, the criminal only needs one other piece of information to access a self-custodial wallet app owned by the true owner of the phone number.

Given the surge in quantum technology, Apple recently improved the security of its Secure Enclave hardware device embedded in iPhones. The post-quantum cryptography scheme creates new keys every time a malicious actor compromises an old one.

This feature could help crypto wallet developers improve their clients’ crypto security by storing critical information in the Secure Enclave. So far, at least one vendor has already used the Secure Enclave to grant access to their wallet app.

Read more: What is a Private Key in Crypto?

BeInCrypto contacted Binance, the world’s largest cryptocurrency exchange, and Coinbase for comment on whether the XY International data leak affected their users. Neither company had responded by press time.

Top crypto projects in the US | May 2024



In adherence to the Trust Project guidelines, BeInCrypto is committed to unbiased, transparent reporting. This news article aims to provide accurate, timely information. However, readers are advised to verify facts independently and consult with a professional before making any decisions based on this content. Please note that our Terms and ConditionsPrivacy Policy, and Disclaimers have been updated.

David Thomas
David Thomas graduated from the University of Kwa-Zulu Natal in Durban, South Africa, with an Honors degree in electronic engineering. He worked as an engineer for eight years, developing software for industrial processes at South African automation specialist Autotronix (Pty) Ltd., mining control systems for AngloGold Ashanti, and consumer products at Inhep Digital Security, a domestic security company wholly owned by Swedish conglomerate Assa Abloy. He has experience writing software in C,...