• clb92@feddit.dk
    link
    fedilink
    English
    arrow-up
    38
    ·
    vor 5 Monaten

    Goddammit, can companies stop leaking our shit everywhere please

    • Norgur@fedia.io
      link
      fedilink
      arrow-up
      9
      ·
      vor 5 Monaten

      Especially with such careless failures. If some employee was tricked through a well-planned social engineering attack, or they used some mega obscure day0 vulnerability, I’d not be happy, but shit happens, I guess. But not sending my phone number when someone just posts some GET command to an API should be a no-brainer…

  • schizo@forum.uncomfortable.business
    link
    fedilink
    English
    arrow-up
    28
    ·
    vor 5 Monaten

    What confuses me is even a half-competent audit and pentest would absolutely have found an api endpoint that’s going to absolutely leak customer data, so the assumption I have to make is that, yet again, a “security” company can’t be fucked to do the bare minimum to ensure their security shit is you know, secure.

  • The Quuuuuill@slrpnk.net
    link
    fedilink
    English
    arrow-up
    11
    ·
    vor 5 Monaten

    Let this be a reminder not to use Authy or Google Auth or Microsoft Auth if you can help it. Your best bet if you can help it is a Yubikey or Nitrokey. If you can’t far better to go with Aegis or Ente Auth. If you need easy sync across devices, Aegis has that, but most of the security experts I know recommend going with 1Password as your MFA solution with sync. I personally don’t trust 1Password as a for profit corporation, but I also accept I don’t get paid to know about computer security to the degree that an actual security expert is

  • Telorand@reddthat.com
    link
    fedilink
    English
    arrow-up
    11
    ·
    edit-2
    vor 5 Monaten

    That’s especially bad, because the default behavior, iirc, is to have Multi-Device turned on, which means anyone can potentially add their device to your account and access your TOTP.

    And I don’t expect most users to know how or to remember to turn it off.

  • Th4tGuyII@fedia.io
    link
    fedilink
    arrow-up
    8
    ·
    vor 5 Monaten

    Thank fuck I got away from Authy years ago - cost me my Twitch account (because apparently Twitch straight won’t allow you to switch away from Authy), but it was worth it to secure the rest of my things

  • Rentlar@lemmy.ca
    link
    fedilink
    English
    arrow-up
    5
    ·
    vor 5 Monaten

    Lol it’s taken me a while to come around to MFA (I used to hate it but I’ve started using open source MFA apps), but my hesitation to use proprietary solutions has proved smart.

  • user@lemmy.one
    link
    fedilink
    English
    arrow-up
    4
    ·
    edit-2
    vor 5 Monaten

    Oof, lucky I left them for aegis, android only app a long time ago. I hope/think I closed my authy account 🤞

  • Potatos_are_not_friends@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    ·
    vor 4 Monaten

    Oh man this is going to suck.

    We were looking for an authentication setup to allow for SSO and one of the front runners was Twilio. They have a meeting with us next week and I am not looking forward to this second hand embarrassment.

  • Grumpydaddy@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    ·
    vor 5 Monaten

    So for common folk like myself, what do I need to do? I used Authy for a few sites. Can a bad actor pretending to be me now get access to those sites?