Although the 2FA codes leaked in the YX International database exposure were unlikely to have been exploited by an attacker for the reasons already stated, the fact that they were being added to the database within the time restraints for them being valid remains a concern. “Text messages use outdated technology and it’s good practice to keep up with the latest account protection on offer,” Moore concludes, “But when convenience and security match each other in perfectly equal measures, it really is a no brainer to opt for another option other than SMS.” MORE FROM FORBES Google Says Some Gmail Accounts Will Be Deleted, Messages Blocked By Davey WinderĠ3/06 update: Passkeys are often cited as being a more secure replacement 2FA, although they should really be thought of more accurately as a method of combining 2FA with something that is more secure than a password.
If anything, it just adds weight to the argument against using SMS if there are other options available, as it illustrates how such text message codes can be compromised. “So, when setting up security is now easier than ever,” Moore continues “anyone left relying on passwords alone or using SMS 2FA codes might want to reconsider their original choice.”Īlthough users don’t need to be too concerned that 2FA codes were included in the misconfigured and unprotected database in question, that doesn’t mean it’s not a lesson to be learned. Jake Moore, the global cybersecurity advisor at ESET, told me that “one time passwords via SMS are a far safer option than relying on a password alone but when threats are now multi layered themselves, accounts need the strongest multi layer protection themselves to stay secure.” Passkeys, authenticator apps and physical security keys all offer even more secure protection. Does This Mean You Shouldn’t Use SMS For 2FA Security Codes?
In the scheme of things, this is very unlikely indeed. After all, such codes expire very quickly and a threat actor would have to be monitoring both the additions to the database and the actions of a target. With logs dating back as far as July 2023, the lack of a password to protect this database is shocking, but is it a security risk? From the perspective of the 2FA codes I would have to say not very much. The exposed database shows, Sen says, that “the method to store and process 2FA should be more robust and secure.” Do Google, WhatsApp And TikTok Users Have Cause For Concern? “Lots of companies are moving their production servers to cloud but the basic authentication and encryption are not placed,” Sen says.
I spoke with the researcher who found the database, Anurag Sen, who told me they “came across the database during a routine check I do.” Sen says that they have been doing this to check on cloud-based databases for the past five years. I have reached out to YX International, Google, Meta and TikTok for comment.