One Million Two-Factor Authentication Codes Were Recently Exposed

By Emily Long

One-time SMS codes are widely used as the second checkpoint in two-factor authentication (2FA) to sign into everything from banking apps to email accounts. As I’ve written before, though, SMS is one of the least secure 2FA methods, as it can be phished relatively easily.

It turns out these codes may also be visible to other parties besides the sender (the service generating the code) and the recipient (you), increasing the risk that your accounts can be compromised by bad actors. As reported by Bloomberg Businessweek, an obscure third-party telecom service had access to at least one million 2FA codes that passed through its network.

How more than one million SMS codes were compromised

An investigation led by Bloomberg and Lighthouse Reports—based on data received from an industry whistleblower—found that more than a million text messages containing 2FA codes were visible to Swiss company Fink Telecom Services during June 2023. As an intermediary between the companies that generate authentication codes and the users logging into their accounts, Fink handled the messages and had access to their content.

While this is a weakness in SMS—which is unencrypted and relatively easy to intercept—the Fink incident is particularly concerning due to the company’s involvement in the surveillance industry and alleged infiltration of user accounts.

According to the reporting, the messages came from senders like Google, Meta, Amazon, Tinder, Snapchat, Binance, Signal, WhatsApp, and several European banks and went to recipients in more than 100 countries.

Continue reading