[kadoban]

If you have security cameras though, doesn't that open up a huge amount of possibilities to deepen the intrusion? Just most obviously you can watch anyone log in to anything you can see and get some credentials that way. Sounds like these offices are closed, but I'm sure there's some clever way to get someone to need to log in to some machine. Or just be patient and wait.

Hell the offices being closed and having control of the security cameras offers what sounds a lot like the start of a great way to break in quietly and get physical access. How many systems do you know that are secure if you can touch them?

[ggreer]

You can see the resolution of the cameras in some of the account's other tweets. It's not high enough to see information on the screen. Watching keyboard inputs might be possible, but even then I doubt the framerate is high enough to get all the keys.

More importantly: at most companies, accessing sensitive systems requires more than just a username and password. Pretty much every place requires TOTP or HOTP, often via a hardware token. Many firms also restrict access to specific machines.

[kentonv]

Pretty much everything at Cloudflare requires, at the very least, a physical security key (e.g. yubikey) to get access.

[kadoban]

Yeah 2fa is a good point. You'd really hope that anything important would require it, but not sure that's universally true. Social engineering attacks become a lot easier possibly, 2fa tends to need to be overridden a lot because people lose their tokens.

I didn't see the low res cameras, that should make it harder. I wouldn't be surprised if AI or tedium (view each frame, guess and check, etc.) could still get you passwords, but yeah it's starting to sound like more of a stretch. If the cameras have sound that should help get creds too.