I mean if you’re on GSuite, fundamentally isn’t a loss of control of your personal Gmail account just as likely as a loss of control of your professional account?
It does show how browsers offering cloud-synched password vaults without mandating 2FA to use that feature is grossly irresponsible.
2FA is, in my experience, the thing that would be blocking 99% of this kind of attack. Which shows how if you’re regularly using something that doesnt have 2FA that should be a red flag. In this case it was 2 layers of that:
Their google account probably didn’t have 2FA, and neither did that service account. Now obviously a service account generally won’t have 2FA, but if you’re regularly keying in service account credentials into a web browser something has gone wrong.
I mean if you’re on GSuite, fundamentally isn’t a loss of control of your personal Gmail account just as likely as a loss of control of your professional account?
It does show how browsers offering cloud-synched password vaults without mandating 2FA to use that feature is grossly irresponsible.
2FA is, in my experience, the thing that would be blocking 99% of this kind of attack. Which shows how if you’re regularly using something that doesnt have 2FA that should be a red flag. In this case it was 2 layers of that:
Their google account probably didn’t have 2FA, and neither did that service account. Now obviously a service account generally won’t have 2FA, but if you’re regularly keying in service account credentials into a web browser something has gone wrong.