|
|
|
|
|
|
by nurtbo
689 days ago
|
|
|
So these attackers could gain access to any account with email with a domain not currently registered to a Google Workspace? This seems like a huge breach of trust. (Especially given that it gave access to outside of Google accounts). Is there a best practice around confirming adding social login to a pre-existing account? (Like entering current password or email confirmation?) From the article: > In the case of the reader who shared the breach notice from Google, the imposters used the authentication bypass to associate his domain with a Workspace account. And that domain was tied to his login at several third-party services online. Indeed, the alert this reader received from Google said the unauthorized Workspace account appears to have been used to sign in to his account at Dropbox |
|
|