Skip to content
Thoughtful, detailed coverage of everything Apple for 28 years
and the TidBITS Content Network for Apple professionals
Photo of a circular stack of books

Photo by _HealthyMond on Unsplash

14 comments

SMS Database Leak Exposed 2FA Login Codes

When you receive text messages from companies, such as shipment notifications from Amazon or two-factor authentication codes from Twitter, it’s likely that those messages were made possible by a company called Voxox. Unfortunately, as TechCrunch reports, Voxox left a server completely unsecured, which has resulted in the exposure of tens of millions of password reset links, two-factor authentication codes, shipping notifications, and more. This is yet another reason not to rely on SMS text messages for two-factor authentication, and instead to use an authentication app like Authy or 1Password, when possible.

Read original article

Subscribe today so you don’t miss any TidBITS articles!

Every week you’ll get tech tips, in-depth reviews, and insightful news analysis for discerning Apple users. For 28 years, we’ve published professional, member-supported tech journalism that makes you smarter.

Registration confirmation will be emailed to you.

Comments About SMS Database Leak Exposed 2FA Login Codes

Notable Replies

  1. Isn’t this out of my control? What can I do to get people like a Medical Group who uses online checkin to use something better than SMS?

  2. Some, but clearly not all such organizations allow you to opt-out of SMS, but you are correct that some still don’t. The only thing you can do is lodge a formal complaint with them, citing this latest compromise as one such vulnerability, and there is more than one.

  3. PayPal is yet another that still is using SMS. I was surprised when I set up 2FA with them today.

  4. Authy & 1Password both support a much more secure form of 2FA.

  5. Thanks for the tip – I guess this brings up another question though:

    If you are already using 1Password (with a strong master password, etc.), is there any advantage in 2FA?

  6. This explains the “Why” much better than I could ever hope to. In addition, you’ll find sites that require you to use 2FA. For example, to use Apple Application Specific Passwords, you must first be using 2FA or Apple will not allow you to setup ASP’s.

    Check out this explanation of Why 2FA.

  7. Excuse my ignorance, but I’m wondering if this is a bit alarmist? I see where tens of millions of reset codes and links, shipping notices, etc. were revealed, but aren’t 99.999% of those obsolete and useless? Except for perhaps a small handful that occurred in the last 10 minutes, reset codes become obsolete once they’re used. Don’t they also time out if not used?

    Credit card numbers, SSNs, bank account numbers, etc. are serious problems, and certainly the fact that such a breach even occurred is worrisome and I agree this adds to the unfortunate train of breaches victimizing us. But help me understand the real damage of this particular one? Do I really need to worry that much about this particular information being in the wild?

  8. Most likely what you say is correct, but I would be more concerned that the culprit now, has access to my phone numbers, names, the companies they deal with, etc. Which opens up a whole new can of worms.

  9. Here is the form of a text of a 2-factor authorization message I received from PayPal at my cell number:

    PayPal: Your security code is: nnnnnnn. Your code expires in 5 minutes. Please don’t reply.

    It seems to be that the only non-noise that could be recovered is the cell number. the security cod, and the sender (PayPal). However, after 5 minutes at most, the security code is meaningless. So it strikes me that all an attacker gets is that a cell number can receive a text and is associated with a PalPal account. While that could be useful if you had other associations for the cell number, it is otherwise pretty useless.

    So I think the security implications here are limited.

  10. blm

    That’s plenty. In many cases it’s fairly easy for someone to steal your phone number by transferring it to a new phone. Once that happens, they can go to PayPal, do a forgot password, which sends a security code to your (now their) phone, and use that code to set a new password and log in to your PayPal account, where they can send themselves money from anything you’ve got connected to your PayPal account (credit & debit cards, bank accounts). Maybe you’re using a carrier that actually takes security seriously (are there any?) and won’t just transfer your number because someone asks, and maybe you don’t have any payment method that would let someone steal a lot of money connected to your PayPal account, so this may not affect you personally, but in general, it’s a pretty severe breach (because of other’s poor security practices admittedly, but still…) Brian

  11. Note that this strategy requires some additional information (a tie between the cell phone number and Paypal login email). Nowhere does the message itself point to that.

  12. Perhaps a single PayPal 2fa message doesn’t point to it, but this was a breach of millions of messages that were searchable. Search for the same phone number and perhaps you’ll find other messages that show an email address, which is the user name for most PayPal accounts. And from that you can try to gain access to the account. And we know that cell phone numbers are vulnerable to sim hacking.

Join the discussion in the TidBITS Discourse forum

Participants