$380M lawsuit: intruder got Clorox's passwords from Cognizant simply by asking
theregister.com20 points by rntn a day ago
20 points by rntn a day ago
Makes me wonder if this was an inside job. Was the service desk contractor, part of the attack?
I really, am not sure how this happens? I feel like this should have been in the security training? Also... 2FA?
> Also... 2FA?
Yes, they reset that too, allegedly. IIUC, according to the complaint (which may or may not be accurate, of course) they got a user's password by just asking. Then they also got a vpn u&p for the same user (user1). Then they gathered some internal data and changed user2's phone number (using the same helpdesk, different conversation, I think) so they can bypass some 2fa. User2 was working in IT security...
Every security measure is as secure as the recovery mechanism. And if that mechanism relies on humans, they become the weakest link. The fact that they didn't perform any checks, and went ahead and changed 2! credentials via the same helpedsk without even sending an e-mail or you know, asking a question or two is bonkers.