A security breach exposed two-factor authentication (2FA) codes/password reset links for millions of users on platforms like Facebook, Google, and TikTok.

Key Points:

  • YX International, an SMS routing company, left an internal database exposed online without a password.
  • The database contained one-time 2FA codes and password reset links for various tech giants.
  • YX International secured the database and claims to have “sealed the vulnerability.”
  • The company wouldn’t confirm how long the database was exposed or if anyone else accessed it.
  • Representatives from Meta, Google, and TikTok haven’t commented yet.

Concerns:

  • This leak highlights the vulnerabilities of SMS-based 2FA compared to app-based methods.
  • The lack of information regarding the leak’s duration and potential access by others raises concerns.

Gemini Recommendations:

  • Consider switching to app-based 2FA for increased security.
  • Be cautious of suspicious communications and avoid clicking unknown links.
  • Stay informed about potential security breaches affecting your online accounts.
  • A Phlaming Phoenix@lemm.ee
    link
    fedilink
    English
    arrow-up
    4
    ·
    10 months ago

    Mine uses SMS 2FA AND had a 16-character password limit. I need to switch banks already. Any suggestions for a decent bank or credit union that uses modern password cryptography and app-based TOTP?

    • MeekerThanBeaker@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      10 months ago

      SMS 2FA is dumb, but I thought 16 characters are okay right now. Does the bank have too many password mistakes will block you for a certain time period enabled?

      • frezik@midwest.social
        link
        fedilink
        English
        arrow-up
        3
        ·
        10 months ago

        They’re good as long as there aren’t any limits on characters you can use.

        Some people like to use passphrases. But honestly, the gold standard is a password manager with randomized strings.

    • Dark Arc@social.packetloss.gg
      link
      fedilink
      English
      arrow-up
      2
      ·
      10 months ago

      Well Capital One still uses SMS 2FA … BUT if you’re going to be using budget apps they allow OAuth which was the big selling point for me (i.e. not giving my bank account password to a third party)