|
|
|
|
|
|
by aryan14
10 days ago
|
|
|
It’s just incorrect It’s true that existing sessions are revoked; because the password was reset The reason the target wouldn’t get any notifications at all would be in the case they never setup any additional verification methods to receive these notifications to, since this only worked on accounts w/o 2FA You can test this on your own account, if you have 2FA enabled and reset your password, you’ll receive notifications to whatever option you have enabled Also, if you reset the password, it doesn’t remove all 2FA methods on the account (you can test this) So assuming a threat actor reset the password, they would attempt to login with the correct password but would still need the 2FA code or approval |
|
|