A security breach exposed two-factor authentication (2FA) codes/password reset links for millions of users on platforms like Facebook, Google, and TikTok.
Key Points:
- YX International, an SMS routing company, left an internal database exposed online without a password.
- The database contained one-time 2FA codes and password reset links for various tech giants.
- YX International secured the database and claims to have “sealed the vulnerability.”
- The company wouldn’t confirm how long the database was exposed or if anyone else accessed it.
- Representatives from Meta, Google, and TikTok haven’t commented yet.
Concerns:
- This leak highlights the vulnerabilities of SMS-based 2FA compared to app-based methods.
- The lack of information regarding the leak’s duration and potential access by others raises concerns.
Gemini Recommendations:
- Consider switching to app-based 2FA for increased security.
- Be cautious of suspicious communications and avoid clicking unknown links.
- Stay informed about potential security breaches affecting your online accounts.
Mine uses SMS 2FA AND had a 16-character password limit. I need to switch banks already. Any suggestions for a decent bank or credit union that uses modern password cryptography and app-based TOTP?
Well Capital One still uses SMS 2FA … BUT if you’re going to be using budget apps they allow OAuth which was the big selling point for me (i.e. not giving my bank account password to a third party)
SMS 2FA is dumb, but I thought 16 characters are okay right now. Does the bank have too many password mistakes will block you for a certain time period enabled?
They’re good as long as there aren’t any limits on characters you can use.
Some people like to use passphrases. But honestly, the gold standard is a password manager with randomized strings.