Billions of Users at Risk: How 2FA Codes Were Compromised

If you’re one of the millions using SMS for two-factor authentication (2FA), you’ll want to pay close attention to this breaking news. An investigative report by Bloomberg, corroborated by a whistleblower and Lighthouse reports, has revealed that over one million SMS messages containing 2FA codes were intercepted in June 2023.

Which Companies Were Affected?

Major tech giants and financial institutions are among the victims. Google, Meta, Amazon, Tinder, Snapchat, Signal, WhatsApp, Binance, and numerous European banks were all targeted. The blame falls on Fink Telecom Services, a Swiss company suspected of facilitating fraudulent access to accounts.

The Dangers of SMS for 2FA

Unlike authentication apps, SMS messages are not encrypted. This means anyone with access to the telecommunication network can intercept these messages. Hence, even though 2FA was designed to protect you if your password is stolen, if the second factor (the code) is intercepted, the system becomes ineffective.

Imagine a hacker or agency having your username and password and then intercepting the SMS code—they can gain complete control over your account, bypassing every barrier.

How to Protect Yourself

To ensure your security:

• Avoid using SMS for 2FA codes.
• Use reliable authentication apps like Google Authenticator, Microsoft Authenticator, 1Password, or Authy.
• Transition to passkeys if available, utilizing face ID or touch ID for authentication.

Evergreen Tips for Secure Online Practices

Beyond 2FA, here are some additional best practices for enhanced online security:

• Use strong, unique passwords.
• Enable two-factor authentication whenever possible.
• Keep your software and devices updated.
• Be cautious of phishing emails and unsecured networks.