told Techcrunch that this is indeed very bad. “My real concern here is the potential that this has already been abused,” he said. “This is different from most breaches, due to the fact the data is temporary, so once it’s offline any data stolen isn’t very useful.”
Nonetheless, considering that some companies only require a phone number to reset an account the possibility or breached accounts are huge.
While better than nothing SMS based authentication also is one of the weakest options. Some time ago Reddit, who was using the same technique for their employees, had to find out that it actually can be exploited.
The above database issues are just another examples of why you should switch to another method if possible.