Every day, phone networks worldwide transmit billions of passwords and login codes. Tech companies rely on these codes to keep users securely logged into apps and accounts, no matter where they are. Ideally, these codes reach users as fast and cheaply as possible. For most people, they’re a minor inconvenience—until a breach turns them into a major risk.
Rather than sending codes directly to customers—which would be costly and inefficient—companies, including banks and Big Tech, outsource the task. Messages travel through a complex, often opaque network of contractors and subcontractors, each competing to reduce delivery costs. This practice is known in the industry as “lowest cost routing.” The problem? Any middleman in this chain can potentially access the sensitive information. Codes that warn “Do not share with anyone” may already have been exposed to unknown parties.
Methods
Lighthouse obtained nearly 100 million data packets from a phone industry source, providing an unusual window into telecom traffic handled by a controversial Swiss operator. Millions of these packets contained “A2P” (application-to-person) SMS messages. We analyzed them to determine senders, recipients, and message content.
Our investigation uncovered millions of security codes and logins routed through Fink Telecom Services. These messages spanned services from global tech giants—including Google, Meta, and Amazon—as well as banks, cryptocurrency exchanges, dating platforms, online marketplaces, and messaging apps like WhatsApp, Viber, and Signal. In total, we identified over 1,000 companies sending login credentials through the network run by telecom entrepreneur Andreas Fink. Many messages included account names, login codes, and phone numbers.
Storylines
In 2023, we revealed that Fink had also provided location-tracking services to governments and surveillance firms worldwide. His network was linked to serious incidents, including the murder of a Mexican journalist, email account breaches in Southeast Asia, and the hijacking of crypto wallets in Israel—events Fink either denied or attributed to his clients’ customers.
How do untrusted intermediaries like Fink Telecom gain access to such sensitive data? Tech companies outsource messaging to a sprawling, opaque marketplace of providers that promise faster and cheaper delivery worldwide.
“There’s nothing stopping anyone from doing this work,” one industry insider told us. “A company can quickly handle billions of messages.”
Fink Telecom and similar firms keep costs low by leveraging multiple countries’ “global titles”—network access points that allow telecom operators to connect internationally. As the phone industry has globalized, leasing these titles has become common, letting companies appear operational in countries far from their headquarters. We found Fink Telecom using global titles in Namibia, Chechnya, the UK, and Switzerland. The UK recently banned leasing of domestic global titles to third parties, citing surveillance and account security risks.
After our report, Meta said it had instructed partners to avoid subcontracting with Fink Telecom. Still, privacy experts question whether tech companies perform adequate due diligence across their messaging supply chains.