In July an attack on a content delivery company, CloudFlare, exploited
weaknesses in the two-factor authentication systems Google provides to protect
personal and business accounts.
Google issued an update to correct a flaw the proces used to recover passwords which allowed the attack to take place, and the CEO of CloudFlare, Matthew Prince wrote an extensive blog
entry about the attack, their investigations, and giving advice to
organizations on protecting themselves from the same attack.
The attack highlighted the need for
organizations using software-as-a-service email providers to review the "lost
password" procedures for their administrator accounts on those services, and ensure that all contact methods they will use to receive messages
about password resets are secure and cannot be redirected or accessed without
their knowledge.
No comments:
Post a Comment