A recent data breach has exposed a database of around 26 million text messages containing private customer information, reports TechCrunch. In addition to the privacy concerns, the breach also highlights the dangers of relying on SMS messages for receiving two-factor authentication codes or account reset links, which sees sensitive information sent over an unencrypted communications platform.
The breach was brought to light by a Berlin-based security researcher named Sébastien Kaul, who discovered that the Voxox-managed database was discoverable, unprotected, and easily searchable for both names and telephone numbers. Since the server was still active after the breach was discovered, anyone could have monitored a near-real-time data stream to find the relevant two-factor authentication code sent after trying to log into someone else’s account. Only after being contacted by TechCrunch did Voxox take down the database, which contained text messages sent to customers from companies including Google, Amazon, and Microsoft.
Two-factor authentication is one of the best ways you can protect your accounts against being hijacked. Even if someone has your username and password, they won’t be able to log in without this second code. While it’s common for websites and services to text you this number (meaning only someone with access to your phone can log in), a breach such as this (or the increasingly common SIM hijacking) would allow a hacker to see the code being sent to your phone, and use it to login to your account.
Instead, using an authentication app such as Google Authenticator or 1Password (with it’s built-in 2FA code generator) is much more convenient and secure. These apps are completely self-contained, meaning no sensitive data needs to be sent to them, and this also creates the secondary benefit of allowing them to work when your phone doesn’t have an active cell connection. Increasingly, hardware keys are also proving popular, with Google reporting that it has seen no successful phishing attacks since making hardware security keys mandatory for its employees. Unfortunately in some cases you’ll still need to rely on SMS as a security backup, but this should only be used as a last resort to minimize your exposure to breaches such as this.