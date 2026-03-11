Millions of People at Risk: The Dangers of SMS Sign-In Links

A recent study has revealed a concerning issue affecting millions of people worldwide. Researchers have discovered that sign-in links sent via SMS can be easily exploited, putting personal information at risk. The study, conducted by researchers from the universities of New Mexico, Arizona, Louisiana, and the firm Circle, highlights the vulnerabilities in the system.

The researchers argue that these attacks are not only simple to execute but also highly scalable. They emphasize that the threat model can be realized using consumer-grade hardware and basic to intermediate web security knowledge. This means that anyone with the necessary skills could potentially carry out these attacks.

One of the critical issues is the lack of encryption in SMS messages. In the past, researchers have uncovered public databases containing sensitive information, including authentication links and personal details such as names and addresses. A notable example from 2019 exposed millions of text messages, revealing usernames, passwords, and even university finance applications. The exposure of such data highlights the potential consequences of these vulnerabilities.

Despite the known risks, the practice of sending sign-in links via SMS continues to be widely used. The researchers faced ethical challenges in assessing the true scale of the problem, as bypassing access controls would be necessary, even if they were weak. As a result, they focused on public SMS gateways, which allow users to receive texts without revealing their phone numbers.

By analyzing these gateways, the researchers collected a vast amount of data. They extracted 332,000 unique SMS-delivered URLs from 33 million texts sent to over 30,000 phone numbers. The findings were alarming, indicating numerous security and privacy threats. The study revealed that messages from 701 endpoints, representing 177 services, exposed critical personally identifiable information. Weak authentication based on tokenized links was the root cause, allowing anyone with access to the link to obtain sensitive user data, including social security numbers, dates of birth, bank account details, and credit scores.

This discovery underscores the urgent need for improved security measures in SMS-based authentication systems. It serves as a reminder that personal information is vulnerable, and individuals should remain cautious when interacting with sign-in links sent via SMS.