this post was submitted on 03 Jan 2024
824 points (94.1% liked)

Technology

59589 readers
3148 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

Hope this isn't a repeated submission. Funny how they're trying to deflect blame after they tried to change the EULA post breach.

you are viewing a single comment's thread
view the rest of the comments
[–] capital@lemmy.world 77 points 10 months ago (40 children)

The data breach started with hackers accessing only around 14,000 user accounts. The hackers broke into this first set of victims by brute-forcing accounts with passwords that were known to be associated with the targeted customers

Turns out, it is.

What should a website do when you present it with correct credentials?

[–] Thann@lemmy.ml 39 points 10 months ago (2 children)
  1. IP based rate limiting
  2. IP locked login tokens
  3. Email 2FA on login with new IP
[–] Umbraveil@lemmy.world 21 points 10 months ago* (last edited 10 months ago)

IP-based mitigation strategies are pretty useless for ATO and credential stuffing attacks.

These days, bot nets for hire are easy to come by and you can rotate your IP on every request limiting you controls to simply block known bad IPs and data server IPs.

[–] CommanderCloon@lemmy.ml 13 points 10 months ago (2 children)
  1. The attackers used IPs situated in their victims regions to log in, across months, bypassing rate limiting or region locks / warnings

  2. I don't know if they did but it would seem trivial to just use the tokens in-situ once they managed to login instead of saving and reusing said tokens. Also those tokens are the end user client tokens, IP locking them would make people with dynamic IPs or logged in 5G throw a fuss after the 5th login in half an hour of subway

  3. Yeah 2FA should be a default everywhere but people just throw a fuss at the slightest inconvenience. We very much need 2FA to become the norm so it's not seen as such

[–] unphazed@lemmy.world 3 points 10 months ago

2 factor beats the hell outta that "match the horse with the direction of the the arrow 10x" bs

[–] Fiivemacs@lemmy.ca 3 points 10 months ago (1 children)

I'm cool with 2fa, I'm not cool with a company demanding my cellphone number to send me SMS for 2fa or to be forced to get a 2fa code via email...like my bank. I can ONLY link 2fa to my phone. So when my phone goes missing or stolen, I can't access my bank. Only time I have resisted 2fa is when this pooly implemented bullshit happens.

[–] JackbyDev@programming.dev 2 points 10 months ago

Pro tip, when making a new Google account and putting your phone number in be sure to look into more options. There is a choice to only use it for 2fa and not for data linking.

load more comments (37 replies)