PayPal Allows Bypassing Two-Factor Authentication with a Button Click

[amluto]

The email fallback is of rather dubious value if your email is hosted in AWS or uses Route53.

[insanitybit]

I'm not sure I understand, can you elaborate?

[Aaron2222]

If the domain of the root account's email address has it's DNS or email handled under that AWS account, then any IAM user that has access to that could intercept the email and use that to gain access to the root account.

[insanitybit]

So you set up an AWS account with some email xyz@example.com and then you transferred that domain to be managed in that same account? That sounds like a niche and terrible idea tbh, why would you dot hat?