Millions of Facebook and Google Users Hit by 2FA Data Leak

A SMS routing company used by Google, Facebook and TikTok is accused of leaking its own database.

Millions of Facebook, Google, WhatsApp and TikTok users have had their account security compromised, after a text message routing company left one of its internal databases exposed and leaked supposedly private 2FA (two-factor authentication) codes into public view.

The massive bungle is virtually the same as a full on data breach and the buck stops with YX International, an Asia-based tech company that claims to process as many as five million SMS texts a day.

It also makes cellular networking equipment, but in this case its expertise appears to lie in leaving sensitive data in plain view online, without so much as a password protecting the one-time passcodes and password reset links that were discovered.

Researcher Reveals Leaky Company Database

YX International might not be a name you’re familiar with, at least until now. However, it seems to have been contracted by some of the biggest tech operations around to process highly sensitive SMS messages featuring 2FA codes and password recovery details.

Security researcher Anurag Sen discovered the loophole, which saw the YX database available to view online with nothing more than knowledge of its public IP address.

Surfshark logo🔎 Want to browse the web privately? 🌎 Or appear as if you're in another country?
Get a huge 86% off Surfshark with this special offer.See deal button

This means that users of some of mega platforms like TikTok, Facebook, WhatsApp and Google could have their one-time passcodes and even password reset links compromised by bad actors.

It’s unclear if this happened, as the server that hosted the details didn’t store access logs, which would have shown if anyone other than Sen visited it.

YX International Has “Sealed” Vulnerability

In addition, the database also included a number of YX International employee email and password combinations, making it tantamount to a breach for the guilty company as well.

A mystery YX spokesperson has since told TechCrunch, who first reported on the leak, that the company has now “sealed this vulnerability” without expanding on the incident.

The good news, if there is any, is that two-factor authentication passcodes typically expire a matter of minutes if not seconds after they’re issued. This means that bad actors would have had to be lurking on the leaked database in real-time to have a chance of making use of the SMS firm’s shocking security oversight.

Another Day, Another Security Blunder

News of YX International’s massive goof would probably hit harder, if such epic fails weren’t worrying commonplace in the world of cybersecurity.

Unfortunately, they are. In our recently released Impact of Technology in Workplace report, for instance, we highlight that 1 in 10 business leaders admit to being unaware if their company was hacked in the last year or not.

It’s cybersecurity statistics like these that underline the importance of having the right tools at your disposal, namely a good cheap VPN, as when in use these apps help throw online crooks off the scent of your private data, even if vulnerabilities exist elsewhere.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at

Written by:
James Laird is a technology journalist with 10+ years experience working on some of the world's biggest websites. These include TechRadar, Trusted Reviews, Lifehacker, Gizmodo and The Sun, as well as industry-specific titles such as ITProPortal. His particular areas of interest and expertise are cyber security, VPNs and general hardware.
Back to top