Another week, another password breach. A new report by Lighthouse Reports has uncovered a massive breach that has exposed more than 10 lakh account passwords and two-factor authentication (2FA) codes from some of the world’s largest tech companies — including Google, Amazon, Meta and numerous banks and dating apps.
The breach highlights a hidden vulnerability in the delivery chain for 2FA codes — messages meant to keep accounts safely locked — putting countless accounts at risk of fraud and takeover.
The revelations come from Lighthouse Reports, which investigated nearly 100 million phone messages routed through Fink Telecom Services. Among these messages were numerous 2FA codes, password resets and account confirmations — messages that many companies consider a key layer of account security.
How the breach happenedTech companies typically do not send 2FA codes directly to their users’ phone numbers. Instead, messages are routed through a sprawling network of intermediate providers — companies that specialise in delivering messages quickly and at low cost across borders. Fink Telecom, a small Switzerland-based provider, was one of these middlemen.
Lighthouse Reports’ cache of messages shows how Fink routed messages for over 1,000 companies — including banks, online marketplaces, dating sites and messaging apps — through its network. The messages often included phone numbers, account IDs and the actual 2FA codes — all visible to Fink and its partners, putting account security at risk.
Why it mattersThis breach underscores a growing vulnerability in the ecosystem for delivering messages. The industry’s practice of outsourcing delivery to numerous providers — often based in jurisdictions with weak oversight — means messages can pass through companies that have little accountability and poor safeguards.
This is not a small oversight. The messages routed through Fink were meant to be kept private and routed safely to their recipients. Instead, many were exposed to a range of companies, surveillance providers and fraudsters who could intercept or exploit this data.
What can you do about it?To help protect your accounts in light of this breach, consider taking the following steps:
Enable an Authenticator App: Whenever possible, use an app like Google Authenticator or Microsoft Authenticator instead of SMS messages for 2FA codes.
Change Your Passwords: If you suspect your phone number or account may have been compromised, consider changing your password immediately.
Watch for Unusual Activity: Monitor your account activity for suspicious transactions or messages.
Remove Phone Number 2FA: Where supported, consider removing phone SMS 2FA in favour of more robust methods.
Switch to Passkeys: Most companies now support passkeys. It is advisable to switch to a passkey login option to keep your accounts safe.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
