TechCrunch: A leaky database of SMS text messages exposed password resets and two-factor codes

TechCrunch: A leaky database of SMS text messages exposed password resets and two-factor codes. “A security lapse has exposed a massive database containing tens of millions of text messages, including password reset links, two-factor codes, shipping notifications and more. The exposed server belongs to Voxox (formerly Telcentris), a San Diego, Calif.-based communications company. The server wasn’t protected with a password, allowing anyone who knew where to look to peek in and snoop on a near-real-time stream of text messages.”

Ars Technica: Password breach teaches Reddit that, yes, phone-based 2FA is that bad

Ars Technica: Password breach teaches Reddit that, yes, phone-based 2FA is that bad. “In a post published Wednesday, Reddit said an attacker breached several employee accounts in mid-June. The attacker then accessed a complete copy of backup data spanning from the site’s launch in 2005 to May 2007. The data included cryptographically salted and hashed password data from that period, along with corresponding user names, email addresses, and all user content, including private messages. The attacker also obtained email digests that were sent between June 3 and June 17 of this year. Those digests included usernames and their associated email address, along with Reddit-suggested posts from safe-for-work subreddits users were subscribed to.”

The Verge: Facebook admits SMS notifications sent using two-factor number was caused by bug

The Verge: Facebook admits SMS notifications sent using two-factor number was caused by bug. “Facebook this evening clarified the situation around SMS notifications sent using the company’s two-factor authentication (2FA) system, admitting that the messages were indeed caused by a bug. In a blog post penned by Facebook Chief Security Officer Alex Stamos, the company says the error led it to ‘send non-security-related SMS notifications to these phone numbers.'”

Warning: A simple text message can crash iOS and macOS (BetaNews)

BetaNews: Warning: A simple text message can crash iOS and macOS. “The chaiOS bug, as it’s been dubbed, links to a page of code on GitHub. When the recipient clicks on the link, Apple’s Messages app freaks out, and ultimately crashes. Bugs like this are a nuisance rather than a genuine worry, and Apple does tend to roll out updates for such issues pretty quickly, so there’s a good chance it will be fixed in the near future.” I don’t think this has been weaponized, so it’s more of an “Oh boy this is annoying” issue than a security issue.