Hacker News new | ask | show | jobs
by djhworld 3333 days ago
I guess the authors idea of

1. Checking if an email address exists

2. Running it against a known dump of leaked data, with passwords etc

3. Try logging in to google account with the leaked password, hoping the user reuses passwords

Google encourages their users to use 2FA and has other measures to detect when logins are coming from unknown locations, so I guess they figured the risk of this was pretty low
2 comments
mkosmo 3333 days ago
Agreed, a popped account is a bad thing, especially if it's published as such. A larger risk would be somebody popping one of the compromised-credential repositories. Then you've got both username and password. But here we're effectively seeing a slow-scale brute force...

Everybody should enable 2FA, and use the strongest 2FA you can. Buy a yubikey or other U2F key and use it for everything possible. And webdevs, please start supporting U2F in addition to RFC 6238 TOTPs. It's really not that hard.

link
Liquid_Fire 3332 days ago
If you have a leaked database dump with login details, you already have the email address in the dump. You don't need to exploit this to find it.
link