Millions of people imperiled through sign-in links sent by SMS

Researchers analyzed public SMS gateways and collected 322,949,000 unique SMS-delivered URLs from over 33 million texts, finding that tokenized authentication links from 177 services (originating via 701 endpoints) exposed critical personally identifiable information—including SSNs, dates of birth, bank account numbers, and credit scores. The study warns that weak link-based SMS authentication is trivially exploitable at scale using consumer-grade hardware and basic web security knowledge, though ethical constraints limited the ability to measure the full scope of active exploitation.