Though it doesn't mention a timeline, this does seem like a way to pour gasoline onto a PR dumpster fire.
> The data also contained usernames and passwords of TrueDialog’s customers, which if used could have been used to access and impersonate their accounts.
For critical systems where 2fa is enabled I also do a "simulated" device loss, where I go trough all the steps at least once that I would have to do in case of a real device loss (fetching backup codes, revoking token, resetting password, adding new token).
This way I do not have to constantly worry about losing critical items, because I'm prepared for the worst and I can be calm.
It also helps to have all your data encrypted at rest with Bitlocker or Veracrypt (hard to enforce this rule on yourself for pendrives, but oh well..).
But also: basically the entire security world has been recommending against SMS 2-factor for years, because it's so incredibly easy to steal access. Don't use SMS if at all possible, don't have it as a backup (because "a backup option" == "an option" == "you are only as strong as your weakest link"), etc. Avoid it entirely.
...to this day I still don't remember what the answer was.
The LastPass password hint I'd set:
> Don't forget your LastPass password.
It wasn't some oblique hint. It was an FU from 20-something me to 30-something me that I distinctly remembered sending as soon as it saw it.
I couldn't guess who my daddy was in 2004. Wasn't my real dad nor was it me ¯\_(ツ)_/¯
Thank you for the new D&D character name.
...which means there are bound to be a few stale but still active SMS codes lingering in there from people who attempted but did not complete authentication e.g. because they entered the wrong number or didn't have access to the number they attempted to use when signing in. Services impacted are any which allow for users to authenticate with _just_ SMS HOTP and which don't expire unused codes. That number is unfortunately high enough for me to think that this is equatable to a small credential breach.
Saved you a click
Security is an enterprise feature. Dealing with this now trying to enable SAML in a few SaaS apps, for example.
Instead of bothering him/the rest of the audience I left it be (was probably from before his time), but yes, I was also wondering why security was part of the commercial offering...
Anyway, past be past, this is no excuse in 2019 anymore (even if I will be hesitant with Elastic Co in the future).
Nope. No such thing, no empathy for the people affected by the leaks, all blame shifted, done.
On a related note, I came across a post on the machine learning subreddit recently, where the author claims to have a dataset of 33 million SMSs in Mexican Spanish. I'm half suspecting the OP added the Mexican prefix to prevent anyone from doubting that his dataset was collected in Spain (In which case, GDPR applies). This was likely collected from an Android app which surreptitiously collected with the "Telephony.SMS_RECEIVED" intent, and the author half confirms it.
Regardless of the legality of doing so, reading people's private SMSs just reeks of privacy violations. iOS in this specific case does the right thing by not letting apps read incoming text messages (except for the limited case of reading single-factor SMS login codes, which was introduced in iOS 12).
Is the app actually reading the code? I thought this was just a UI hint that made it easier for the user to select the code from the suggestion area of the keyboard
Edit: I have found https://www.howtogeek.com/230683/how-to-manage-app-permissio...