Tens of millions of text messages and security codes were exposed in an online database that did not even have a password, security researchers have found.

The database of text messages, used by companies to send password reset information, shipping notifications and security codes, was left exposed by communications company Voxox.

The files included 26 million records of text messages this year alone, according to TechCrunch. Password verification messages for Google accounts, Amazon delivery tracking notices, messaging apps and security codes for major financial investment companies were all included in the leak.

The exposed server could be found by Sébastien Kaul, a Berlin-based security researcher, using a search engine for public devices and data bases named Shodan. It was not password protected, meaning anyone could enter and access the data.

Exposed on the database were a stream of near real-time messages. However, the access codes in these would typically only have worked for a few minutes after they had been sent.

The leak shows the risks of text message-based communications with companies that are easier to intercept than encrypted digital messages.