Millions of Google and Facebook security passwords leaked

on the Internet Millions of security codes leaked to Google, WhatsApp, Facebook And short message Security experts are warning against authentication (also known as two-factor authentication), in the wake of Tuesday's “blackout” on Meta platforms.

They themselves appeal Do not use SMS for authentication codesThis is because they are exposed to eavesdropping or tampering.

In fact, a security researcher discovered one not long ago Insecure database On the Internet, which contains millions of these codes that any user can easily access.

More specifically, as stated in ForbesThe internal database discovered by security researcher Anurag Sen, You were left unprotected and without a passwordAlthough there is access to the Internet.

Therefore, it is estimated that anyone who knows the IP address of the database can access it using a standard web browser.

Although it was not immediately clear where the exposed database came from, after contacting TechCrunch reporters, it was determined that the “culprit” was… YX Internationalan Asian company that provides SMS forwarding, among other services.

With over 5 million text messages per day, the database was a A large reservoir of informationincluding password reset links and two-factor (“two-factor”) authentication codes for companies like Google, WhatsApp, Facebook, and even TikTok.

Forbes has reached out to YX International, Google, Meta, and TikTok for comment. He reportedly contacted the researcher who found the database, Anurag Sen, who said so “I found the database during a routine scan I was doing.”.

According to him, the exposed database shows this “The way 2FA is stored and processed needs to be more robust and secure.”

Do Google, WhatsApp and TikTok users have reason to worry?

With records dating back to July 2023, the lack of a password to protect this database is shocking, but does it represent a security risk?

From the standpoint of two-factor authentication codes, Forbes reports, we have to say “not much.” Furthermore, these tokens expire very quickly, and a potential attacker would need to track both database additions and the target's actions, which is indeed unlikely.

Does this mean you shouldn't use SMS for two-factor authentication (2FA) security codes?

Jake Moore, a cybersecurity consultant at ESET, told Forbes “One-time passwords via SMS are a more secure option than relying on a password alone. However, when threats are now multi-layered, accounts need the strongest protection to remain safe..

Although users You don't have to worry too much Just because 2FA codes are included in said unprotected database, doesn't mean it's not a sin to learn. If nothing else, just… It adds weight to the argument against using SMS if other options are availableBecause it explains how these codes can be decoded.

“Texting uses outdated technology, and it is good practice to keep up with the latest account protection available.” concludes Moore.