YX International leaks SMS 2FA codes of major cloud platforms

YX International, a tech firm that processes millions of SMS texts daily, experienced a data exposure where a database containing two-factor authentication (2FA) codes and password reset links for major platforms like Facebook, Google, WhatsApp, and TikTok.

YX International Information Co., Ltd is based in Huizhou, China, and was established in 2012. The company specializes in manufacturing communication devices and services, including GOIP gateway, VOIP products, GSM modem, and IP Phone, among others.

This database, accessible via its public IP address without a password, included sensitive information that could potentially compromise the security of millions of users' accounts.

The leak was discovered by security researcher Anurag Sen, who noted that the database was actively growing with logs dating back to July 2023. Despite the inherent security provided by 2FA, the incident highlights the vulnerability of SMS-based authentication methods to leaks and interceptions.

YX International has since addressed and sealed the vulnerability, though it remains unclear how long the data was exposed and whether it was accessed by unauthorized parties. Meta, Google, and TikTok have not commented on the incident.