A brief data breach has exposed a database of about 26 million text messages that contain private information from the customer, informs TechCrunch. In addition to privacy issues, the violation also highlights the dangers of relying on SMS messages to receive two-factor authentication codes or account restoration links, which sees the sensitive information sent to an unencrypted communications platform.
The rape was brought to light by a security researcher named Sébastien Kaul, based in Berlin, who found that the database managed by Voxox was discovered, unprotected and easily searchable for both names and phone numbers. Since the server was still active after the violation was discovered, anyone could have controlled a data transmission almost in real time to find the authentication code of two relevant factors sent after attempting to log in to another person's account. Only after being contacted by TechCrunch Voxox deleted the database, which contained text messages sent to clients of companies such as Google, Amazon and Microsoft.
Two-factor authentication is one of the best ways to protect your accounts from kidnapping. Although someone has your username and password, they will not be able to sign in without this second code. Although it is common for websites and services to send a text to this number (which means that only someone with access to the phone can log in), an infringement like this (or the abolition of the most common SIM) would allow A hacker can see the code that is sent to your phone and uses it to log in to your account.
Instead, using an authentication application such as Google Authenticator or 1Password (with its built-in 2FA code generator) is much more convenient and secure. These applications are completely self-contained, which means that no confidential data is sent to them and this also creates the secondary benefit of allowing them to work when the phone does not have an active mobile connection. Increasingly, hardware keys are also being popular, and Google reports that they have not seen any successful phishing attack, since hardware security codes are mandatory for their employees. Unfortunately, in some cases, you will still have to rely on SMS as a security backup, but this should only be used as a last resort to minimize your exposure to violations like this.