New, by me: A technology company that routes millions of SMS text messages across the world has secured an exposed database that was spilling one-time security codes that may have granted usersβ access to their Facebook, Google and TikTok accounts.
The SMS routing company's database was connected to the internet with no password.
More: https://techcrunch.com/2024/02/29/leaky-database-two-factor-codes/
@zackwhittaker so much "you had one job" it hurts.
And plenty of services use SMS codes as the only factor (which is already stupid, but this just brings it to the next level)
@zackwhittaker WHY DO SO MANY COMPANIES ONLY USE SMS FOR MFA???????
:sigh:
@zackwhittaker it's always appalling to me that banking apps/websites insist on using insecure SMS for 2FA.
I still really prefer TOTP to SMS, since getting past the former requires access to previously-generated secrets. The odds of an adversary getting access to your SMS 2FA coded seem much greater than them getting access to the files on one of your devices, cracking the encryption on your TOTP vault, and getting those secrets.
But I've heard security researches discourage TOTP. Still true?
Robert McMillan
Zack Whittaker
Alexandre Colucci
Emelia πΈπ»
nepi
Jack Yan (ηη΅ζ©)
lick here for more info
San Diego Dana
ferricoxide
Oliver Calder
Yosa Beam β
ππ³οΈβππ³οΈββ§οΈ
Dan Fixes Coin-Ops
jonny (good kind)
Karel P Kerezman