A technology company that routes millions of SMS text messages around the world has secured an exposed database that leaked one-time security codes that may have given users access to their Facebook, Google and TikTok accounts.
Asian technology and Internet company YX International manufactures mobile networking equipment and provides SMS text message routing services. SMS routing helps deliver time-critical text messages to their correct destination across various regional mobile networks and carriers, such as a user who receives an SMS security code or a link to connect to online services.
YX International claims to ship 5 million SMS messages daily.
But the tech company left one of its internal databases exposed online without a password, allowing anyone to access the sensitive data using just a web browser, with only knowledge of the database’s public IP address.
Anurag Sen, a bona fide security researcher and expert in discovering sensitive but inadvertently exposed data sets leaked on the Internet, found the database. Sen said it wasn’t obvious who owned the database, or who to report the leak to, so Sen shared details of the exposed database with TechCrunch to help identify its owner and report the security flaw.
Sen told TechCrunch that the exposed database included the contents of text messages sent to users, including one-time passwords and password reset links for some of the biggest tech and internet companies, including Facebook and WhatsApp, Google, TikTok and others.
The database had monthly logs dating back to July 2023 and was growing in size by the minute.
Two-factor authentication (2FA) offers greater protection against online account breaches based on password theft by sending an additional code to a trusted device, such as one’s phone. Two-factor codes and password resets, such as those found in the exposed database, typically expire after a few minutes or after being used.
However, codes sent via SMS text messages are not as secure as stronger forms of 2FA—an app-based code generation, for example—since SMS text messages are susceptible to interception or exposure, or in this case, leaked from a database on the open web.
In the exposed database, TechCrunch found sets of internal email addresses and corresponding passwords associated with YX International and notified the company about the database leak. The database was taken offline shortly thereafter. A spokesperson for YX International, who did not give his name, responded immediately after saying the company had “sealed this vulnerability.”
When asked by TechCrunch, the YX International spokesperson said the server does not store access logs, which would determine if someone other than Sen discovered the exposed database and its contents.
YX International would not say how long the database was exposed.
When reached by email, a Meta representative did not comment. Representatives for Google and TikTok did not respond to requests for comment.