tech

January 23, 2026

Millions of people imperiled through sign-in links sent by SMS

Even well-known services with millions of users are exposing sensitive data.

Millions of people imperiled through sign-in links sent by SMS

TL;DR

  • Websites using SMS authentication links for user verification are jeopardizing millions of users' privacy.
  • Scammers can exploit easily guessable or brute-forced links to access accounts and personal data.
  • Researchers identified over 700 endpoints on behalf of 175 services that put user security at risk.
  • SMS messages are sent unencrypted, and some authentication links remain valid for years.
  • The practice is popular due to perceived lower customer friction and avoidance of password management.
  • More secure alternatives like time-limited email 'magic links' or multi-factor authentication are suggested.
  • Service providers are identified as the root cause, with users having limited recourse.
  • Many service providers have been unresponsive to fixing these security vulnerabilities.

Continue reading the original article