Using two-factor authentication (2FA) is generally regarded as a superior way of securing an account than using a password alone, but even adding that extra layer of security comes with its own unique risks. This was highlighted in a recent security breach in which tens of millions of SMS text messages were exposed. Some of those text messages contained 2FA codes.
All of those text messages sat on a server belonging to Voxox, a communications firm located in San Diego, California. Voxox is wholesaler of SMS, voice, VOIP, and cloud communication services for small businesses. One of the things it does is convert 2FA codes into text messages, which are then routed through cell towers and ultimately to the end user.
For whatever reason, Voxox did not protect the aforementioned server with a password, TechCrunch discovered. Anyone who knew where to look would have been able to view text messages as they passed through, including ones containing password reset links, 2FA codes, shipping notifications, and other information that shouldn't be publicly visible.
Voxox took the server offline after TC inquired about it, but it's startling that it was ever online without sitting behind a password in the first place. When it closed, the database showed more than 26 million text messages had been sent this year. However, the number of messages that passed through the platform per minute indicates that the 26 million figure may be a conservative one.
Either way, this is concerning. The records in the database were very detailed, containing the recipient's phone number and the customer who sent the SMS message. TC posted a list of things it discovered while looking at the database, including a password sent in plaintext to a phone number in Los Angeles, six-digit security codes sent by Fidelity Investments, shipping notifications sent by Amazon, and more.
It's always concerning when a lapse in security exposes personal information, but having access to 2FA codes takes things to another level.
Voxox hasn't said if any of the data had been abused before the server was pulled offline, but is looking into the issue and evaluating the impact.