from Hacker News

A leaky database spilled 2FA codes for the tech giants

by arkadiyt on 3/1/24, 12:07 AM with 9 comments

  • by hyperman1 on 3/1/24, 11:45 AM

    The error: A database connected straight to the internet.

    This description alone points to multiple organizational failures:

    * Nobody did security scans from the outside

    * Managing the firewall failed or the firewall does not exist.

    * They have a culture where having production systems without passwords is acceptable. Also: They don't know who has access to their production data.

    * Their customers rely on a third party without regular audits

    We probably can go on like this for a while.

  • by vinay_ys on 3/1/24, 2:01 PM

    Only thing that's both safe and convenient to use is FIDO2 physical keys. For 2FA I hate it when services provide more secure options like FIDO2 keys and least secure options like SMS OTP and no way to disable them. Even worse is when some sites still do security questions.

  • by advisedwang on 3/1/24, 4:17 AM

    Equally galling to the leak itself is that XY is storing text messages long after delivering them. Inexcusable.

  • by palmfacehn on 3/1/24, 5:41 AM

    How many more reasons do we need to not use SMS as an authentication tool?

  • by jasfi on 3/1/24, 6:05 AM

    Don't 2FA codes have short expiry times?