Lead
A multinational research team from the universities of New Mexico, Arizona, Louisiana and the firm Circle reports that tokenized sign-in links sent by SMS put large numbers of people at risk. Between public SMS gateways the researchers examined, they extracted 332,000 unique URLs from about 33 million text messages sent to more than 30,000 temporary numbers. The study found 701 endpoints operating on behalf of 177 distinct services that exposed sensitive personally identifiable information when anyone obtained a link. The authors warn the attack path is simple to test and can be executed with consumer-grade hardware and modest web-security skills.
Key Takeaways
- The researchers collected 332,000 unique SMS-delivered URLs from a corpus of roughly 33 million text messages gathered via public SMS gateways.
- Those messages had been sent to more than 30,000 temporary numbers, offering a limited but revealing view into SMS-based authentication practices.
- The team identified 701 endpoints acting for 177 services that exposed critical PII including Social Security numbers, dates of birth, bank account numbers, and credit scores.
- The principal vulnerability was reliance on tokenized, clickable sign-in or verification links in SMS that grant access to accounts to anyone possessing the URL.
- Researchers emphasize the attack model is feasible using off-the-shelf hardware and basic to intermediate web-security knowledge, increasing its practical threat surface.
Background
SMS has long been known to be an insecure transport: messages travel in the clear and can be intercepted or accessible via secondary repositories. Over recent years security researchers have repeatedly documented public databases and archives of previously sent texts that contained authentication links and private details. One widely reported 2019 discovery exposed millions of sent and received messages between a single business and its customers, including credentials and sensitive application data.
Despite these warnings, many services continue to rely on SMS for passwordless login and verification because it simplifies onboarding and reduces friction for users. Companies often favor tokenized links delivered by text because the approach avoids passwords and can boost conversion—yet it also creates a single bearer-token that functions like a password if intercepted. Public SMS gateways, ad-supported sites that provide temporary numbers for receipt of texts, offer a convenient lens to observe such traffic but do not represent the entire ecosystem.
Main Event
To avoid unethical intrusion, the research team limited themselves to publicly available SMS-receipt services and did not bypass access controls. From those sources they parsed roughly 33 million messages and identified 332,000 unique URLs used for authentication and account access. The dataset covered messages delivered to over 30,000 temporary numbers; although this sample is constrained, it revealed recurring patterns and weaknesses in how services implement mobile sign-in.
Analysis of the collected links and the responses they produced showed that 701 distinct endpoints, operating for 177 services, returned sensitive personal information when the tokenized link was followed. The exposed data reported by the researchers included Social Security numbers, dates of birth, bank routing and account numbers, and credit scores—data categories that enable identity theft and financial fraud.
The researchers describe the root cause as weak authentication architecture: tokenized URLs often act as bearer tokens with long lifetimes or insufficient binding to a specific device or session. As a result, possession of the URL equates to possession of the user’s session or verification capability; an attacker who harvests or intercepts the link can retrieve the associated personal data without further authentication.
Analysis & Implications
The practical implications are wide. Millions of consumers use SMS for two-factor authentication or passwordless sign-in, and the study’s findings demonstrate that the ecosystem includes numerous single points of failure. Tokenized links that are not tightly scoped or that remain valid for extended periods magnify the risk that a harvested URL will be usable long enough to be abused.
From an industry perspective, these results increase pressure on service providers to redesign verification flows. Mitigations include treating SMS links as ephemeral one-time secrets, binding links to device-specific attributes, using multi-step verification before returning PII, or replacing SMS with cryptographic authenticators and app-based push confirmations. The economics of user friction versus security will factor heavily in adoption of stronger methods.
Regulators and privacy advocates may also respond: exposure of high-risk PII such as Social Security numbers and bank details can trigger breach-notification obligations in many jurisdictions and could prompt stricter guidance on the use of SMS for authentication. For consumer-facing firms, the reputational and financial costs of a widely exploited pattern could be substantial.
Comparison & Data
| Metric | Observed value |
|---|---|
| Text messages parsed | ≈33,000,000 |
| Unique SMS-delivered URLs | 332,000 |
| Temporary phone numbers seen | >30,000 |
| Endpoints returning PII | 701 |
| Services implicated | 177 |
The table summarizes the portion of the ecosystem the researchers could observe through public gateways. Because the team did not or could not access private carrier records or internal server logs, these figures are a conservative sample, not a claim of total scale. Still, the density of problematic endpoints in this sample indicates the weakness is systemic rather than isolated.
Reactions & Quotes
Study authors described the attack path as straightforward to reproduce and not dependent on specialized equipment, highlighting the low barrier for abuse if links are exposed. The following short excerpts capture their central technical point and the co-authoring firm’s role.
The attack scenario can be implemented with consumer-grade hardware and basic web-security know-how, making it practical at scale if links are exposed.
Study authors (University of New Mexico, University of Arizona, University of Louisiana, Circle)
Circle, listed among the co-authors, emphasized the practical tests and the ethical boundaries the researchers observed in their collection methods.
Researchers limited their data collection to publicly accessible SMS gateways to avoid breaching access controls, so their measurements present a conservative window into a larger problem.
Circle (co-author, industry)
Unconfirmed
- The true overall scale of exposed SMS sign-in links across carrier infrastructures and private logs is unknown; public gateways offer only a partial view.
- It is not confirmed whether observed exposed links were actively exploited in reported fraud incidents; the study did not and ethically could not attempt to trace downstream misuse.
- Whether all implicated services have since revoked or hardened the affected endpoints is not established in the dataset.
Bottom Line
The research makes clear that tokenized sign-in links delivered by SMS can create widespread exposure of sensitive personal data when links are not tightly constrained. Because the attack model requires little specialized equipment, the practical threat is heightened by the ubiquity of SMS-based authentication and the persistence of public message repositories.
For consumers, the immediate defensive steps are to prefer app-based authenticators or hardware tokens where available, and to treat SMS links and one-time links as insecure transports for highly sensitive operations. For service operators, the priority actions are to shorten link lifetime, bind tokens to device or session attributes, avoid returning PII directly after a single-link follow, and accelerate migration to cryptographically stronger authentication methods.