That's another Slack hack then?
Wasn't the GTA breach done via Slack as well?
Uber, four days after suffering a substantial cybersecurity breach, has admitted its attacker accessed "several internal systems" including the corporation's G Suite account, and downloaded internal Slack messages and a tool used by its finance department to manage "some" invoices. The rideshare and food-delivery app believes …
Even a 6 digit code sent by SMS would be more secure than Y / N.
That's a very dubious claim, given the multitude of security failings in SMS – such as the fact that many users allow their phones to display SMS messages while locked.
MFA systems already tend to have poor usability (in part because of the many types of MFA in use) and bad failure modes. I'm not eager to see yet another failure mode added.
MFA has helped mitigate attacks around passwords, which are terrible authenticators. Unfortunately it's done that by introducing another terrible authenticator. (And most attempts to address that problem are similarly flawed, like Apple's FIDO integration in its OSes, which wraps MFA in biometrics, which are a terrible authenticator.)
1 - A limited breach may have occurred but we have no evidence that any records were extracted. (complete)
2 - We have fixed the problems and are working with law enforcement to identify the perpetrators. (complete)
3 - There may have been some records extracted and we are working to determine how many and what sort of records. ( within the week)
4 - It's 2016 all over again. Sorry about that. Our thoughts and prayers go out to you. (as soon as it hits the dark web)
This post has been deleted by its author
Yeah, outlook aside (which has apparently malfunctioned once or twice where it started spamming people with requests...) if you get spammed with MFA requests it probably means someone is trying to break in to your account and the best thing to do is change your password (and account name if possible),
" if you get spammed with MFA requests it probably means someone is trying to break in to your account and the best thing to do is change your password (and account name if possible),"
Why? If you are getting bunches of notices, how would changing your password do anything? Obviously, they don't have your passwords or they'd be into your account already and you'd never be the wiser unless you can look at the logs. The best thing to do is contact the admin and have them look into the attack. In the mean time, you might want to log in and lock out what you can.
The problem is attempt timeout. Sometimes it's not about gaining access, but simply denial of service.
This is why I intensely dislike using a public email address as UID, that's asking for it.
Thankfully I run my own email platform so I can create as many aliases as I need, also handy when you don't trust a site and want to track if they 'leak" email addresses to the swines known as marketeers, aka spammers.
And the hundreds of thousands of people who currently work for them...?
I'm not trying to say that turning off Facebook wouldn't be a bad thing, but once you've done Facebook, et al, how do you draw the line and not move on to other targets? It's a steep slippery slope down into the vigilante rabbit hole.
"nothing of value would be lost.'
I agree with the sentiment, but it's not really true. All of the social media companies collect all sorts of information on their users to sell to their customers (users aren't necessarily customers). The big data aggregators love every piece of data they can get. Maybe they don't already have your children's mobile numbers or their school's name. They might find it handy to fill those boxes in if there is value to be had.