|
|
|
|
|
|
by rdl
4790 days ago
|
|
|
No, if you hack the portal, you can get whatever info it mediates; the attackers don't need to then use the passwords and 2fa tokens to log in to get it, they just bypass authentication entirely. It's totally reasonable to believe linode is enough of a clusterfuck internally, based on past performance that this kind of thing is plausible. Yes, this protects you from one kind of attack if an attacker only gets limited access to linode's systems. The other issue is it doesn't protect you from password reuse. If a user is dumb and uses his global password for his linode password, and linode is hacked again, and the password is recovered, the attacker uses that userid/password/email/etc. to attack other accounts of that user at other services. |
|
|