![https //g.co/recover for help [1-866-719-1006]](https://newsquo.com/uploads/images/202506/image_430x256_684949454da3e.jpg)
![How Smart PMs Scale Their Careers in Any Org [TPG Live Recap]](https://tpgblog.com/wp-content/uploads/2025/06/2025-06-12-thumbnail-action.png?#)
One Million Two-Factor Authentication Codes Were Recently Exposed
This further underscores that SMS is the worst option for 2FA.
One-time SMS codes are widely used as the second checkpoint in two-factor authentication (2FA) to sign into everything from banking apps to email accounts. As I've written before, though, SMS is one of the least secure 2FA methods, as it can be phished relatively easily.
It turns out these codes may also be visible to other parties besides the sender (the service generating the code) and the recipient (you), increasing the risk that your accounts can be compromised by bad actors. As reported by Bloomberg Businessweek, an obscure third-party telecom service had access to at least one million 2FA codes that passed through its network.
How more than one million SMS codes were compromised
An investigation led by Bloomberg and Lighthouse Reports—based on data received from an industry whistleblower—found that more than a million text messages containing 2FA codes were visible to Swiss company Fink Telecom Services during June 2023. As an intermediary between the companies that generate authentication codes and the users logging into their accounts, Fink handled the messages and had access to their content.
While this is a weakness in SMS—which is unencrypted and relatively easy to intercept—the Fink incident is particularly concerning due to the company's involvement in the surveillance industry and alleged infiltration of user accounts.
According to the reporting, the messages came from senders like Google, Meta, Amazon, Tinder, Snapchat, Binance, Signal, WhatsApp, and several European banks and went to recipients in more than 100 countries.
Companies commonly use intermediaries to send text messages at cheaper rates, which are possible thanks to large contracts with multiple carriers and the ownership or lease of so-called "global titles": network addresses that facilitate communication between carriers in different countries. Maintaining privacy and security standards when working with third parties is further complicated by the fact that Fink (and others like it) are often subcontractors not hired directly by the original companies.
Bottom line: If you use SMS as your authentication method, you aren't guaranteed that no one else has access to your code or that they won't use it to hack your private accounts.
More secure 2FA alternatives
Unfortunately, many companies continue to rely on SMS for 2FA, but wherever possible, you should opt for other multi-factor authentication (MFA) methods.
The most secure choices are based on WebAuthn credentials, like biometrics or passkeys, and stored on your device or a physical security key. These methods don't pass unencrypted through a third party, and they are highly resistant to phishing attacks. Authenticator apps like Google Authenticator that generate codes on your device and refresh every 30 seconds are also stronger than SMS.
In general, the more authentication factors required for logging in, the greater the security, though these factors should be independent and not all accessible on the same device.
