this post was submitted on 05 Nov 2023
346 points (97.0% liked)
Technology
59436 readers
3056 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I mean if you're on GSuite, fundamentally isn't a loss of control of your personal Gmail account just as likely as a loss of control of your professional account?
It does show how browsers offering cloud-synched password vaults without mandating 2FA to use that feature is grossly irresponsible.
2FA is, in my experience, the thing that would be blocking 99% of this kind of attack. Which shows how if you're regularly using something that doesnt have 2FA that should be a red flag. In this case it was 2 layers of that:
Their google account probably didn't have 2FA, and neither did that service account. Now obviously a service account generally won't have 2FA, but if you're regularly keying in service account credentials into a web browser something has gone wrong.
Number 2 isn't true. I could choose a super strong password, but if the company chose to roll their own security and the dev chose to store user passwords in plain text, then their database is hacked, my password is out in the open. This happens all the time, even with huge tech companies.
That cannot happen with MFA since the password never leaves your hardware key.