SMS Sign-In Links Expose Millions of Users' Sensitive Data

Even major online services that pride themselves on seamless login experiences are quietly exposing sensitive user data through SMS sign‑in links. Security researchers analyzing the authentication pipelines of several popular platforms discovered that the one‑time links, intended to replace passwords, embed session tokens and personal identifiers that are transmitted in cleartext, making them vulnerable to interception.

When an attacker intercepts the SMS—either through SIM‑swap fraud, network‑level eavesdropping, or malware on the device—they gain immediate access to the included token. This token can be used to hijack the user’s session, view personal information, and even change account settings without the need for the original password. The data leakage is not limited to the token itself; the message often contains the service name, the user’s phone number hash, and sometimes the IP address from which the request originated.

The scale of the exposure is alarming. Estimates suggest that tens of millions of users across multiple high‑traffic services rely on these SMS‑based authentication flows each month. In the worst‑case scenario, a single compromised link could give an adversary the keys to an account belonging to a high‑profile individual, a corporate user, or a consumer who reuses credentials across sites.

Security experts advise users to move away from SMS‑based authentication altogether and instead adopt app‑based push notifications or hardware security keys. Service providers are urged to replace cleartext token delivery with encrypted, device‑bound mechanisms such as QR‑code based sign‑in or proprietary secure channels that do not expose the token in the message body. Until these changes are widely implemented, the risk of account takeover and data exposure will remain elevated.