That is what I got from On the day it happened, I figured out he got in by taking over my Harvard alumni email and then requesting that a new password from Facebook be sent there.
Gaining control of email accounts is how other accounts are typically captured when multi-factor auth is not enabled, of course. The question is how exactly the attacker got into Thurston's email account at Harvard. The reset instructions read like answering a verification question is all that is needed to change the password without knowing the original password. That would mean two lessons:
1. Harvard should add at least one additional step to this procedure, such as requiring confirmation through a secondary email address.
2. Nobody should ever use publicly available information as answers for password reset "security" questions.
(Both not exactly surprising insights here, of course...)
What still doesn't add up is the part about the attacker "creating gmail account like yours".
Gaining control of email accounts is how other accounts are typically captured when multi-factor auth is not enabled, of course. The question is how exactly the attacker got into Thurston's email account at Harvard. The reset instructions read like answering a verification question is all that is needed to change the password without knowing the original password. That would mean two lessons:
1. Harvard should add at least one additional step to this procedure, such as requiring confirmation through a secondary email address.
2. Nobody should ever use publicly available information as answers for password reset "security" questions.
(Both not exactly surprising insights here, of course...)
What still doesn't add up is the part about the attacker "creating gmail account like yours".