Comment by mattbis
1 day ago
I really want to know how they did it.. was it some terrible password?
He doesn't strike me as the kinda person even using a local password manager; like keepass.
Somebody needs to find this out.
I doubt it was gmail support... surely it could not be via his phone sim, and if he didn't have two factor on; That would be so funny.
I'm tempted to check out the dark web or the telegram, but i'd rather not do either of those things.
I too am very curious about this. Even if his password was exposed and he didn’t have 2-factor auth, doesn’t Google by default ask for confirmation — e.g. texting a number or backup email associated with the account — when seeing an unrecognized device? Maybe he didn’t have any alt contact methods associated with his account?
(which might not be that unusual, he’s old enough to have opened a gmail account upon launch, before extra info hoops were put in place, and maybe he never touched his account config in the past 2 decades?
You are probably right... I tend to change my password semi often. It's always a super complex impossible to remember string - and always keep an eye on the account activity.
Not to mention ; you would assume he should have more than one device linked to the account and then that adds another layer, since Google will ask you " is this you trying to logon ". <-- that is the only way to get Google to do the unrecognized flow you mention.
If you are suggesting it was exposed and he didn't immediately randomise all his passwords.. WORDS FAIL ME
It's all security 101 the irony is immense...
if the US government / FBI need someone to give some talks on how to do security ...
Changing a password that's randomly generated is security theatre. It doesn't meaningfully improve security
Also it's entirely possible they only compromised a honeypot.
Considering their track record, that's actually more likely tbh
3 replies →