Mobile

Over 26 million people’s texts were exposed, and yes, 2FA codes too

“Yeah, this is very bad,” said one researcher.

by
Josiah Motley
November 16, 2018

Image: Unsplash

While some of our texting habits have switched to messenger services and things of that nature, texting is still a huge part of our life on our smartphones. Texting is also how we get our two-factor authentication codes a lot of the time and other notifications and information from companies.

What you might not realize, however, is that when companies send these messages that they have to go through a server gateway of sorts. One such server was owned by the company Voxox and, according to a new report from TechCrunch, was completely vulnerable, allowing anyone to look inside and see what secrets it held.

More about the breach

Sébastien Kaul, a Berlin-based security researcher, was the first to discover the issue on the San Diego, California communications company. Not only was it available to find through a search engine called Shodan, but directly, as well, through a subdomain of Voxox.

The server that acted as the gateway housed text messages for over 26 million people and included things like Amazon tracking codes, password resets from Badoo, Booking.com two-factor codes, and various other alerts and resets from companies like Google, HQ Trivia, Huawei, and others.

And, you know, the actual phone numbers, as well.

Now what?

Well, Voxox has now shut down that server as it attempts to increase the security of the data, but for us, it is a stark reminder that that thing can be breached.

It is also a solid case for not using text message two-factor authentication because of examples like this. Instead, authenticator apps are not only safer but typically more convenient as well.

What do you think of the news? Have you accepted that you’ll probably be the victim of a data breach at some point? Let us know in the comments.