Steve Bellovin1d ago
That hackers got into Patel’s gmail account suggests one of two possibilities: his device or devices were hacked, or his password was phished and he doesn’t use good 2FA.
Show threadPoul-Henning Kamp

@SteveBellovin

I'm totally on board with the incompetence-hypothesis here, but there is one more possibility:

State level actors have "assets" embedded in major tech-companies like Google, Apple, Intel, Microsoft.

If you want to argue otherwise, give me a minute to make pop-corn first :-)

Mar 27 at 7:59pmWeb
Show threadPer Thorsheim1d ago
@bsdphk @SteveBellovin Granularity: Not that long since Gmail went mandatory 2FA. Processes for account recovery, forgot password & 2FA login can be excellent attack vectors, simswap makes it even more so. Even Patel is human, and humans reuse pwds across multiple services, so a compromise somewhere else may provide direct access, or increase probability of pwd spraying / credential stuffing to work.
Why should Patel be considered better than most at protecting personal accounts?
Show threadSteve Bellovin1d ago
@thorsheim @bsdphk Because he should have been, and probably was, briefed by the FBI’s excellent cybersecurity people on what to do.