@jerry I'm considering whether to move to a whole new authenticator altogether. I long for the day when most if not all apps and sites allow hardware keys as the other factor, as opposed to just being an add-on to an MFA app.
And given the SIM swapping potential, it comes down to the mobile provider's customer team adhering to whatever verification procedures they have in place as the last line of defense. I also made sure to set MFA for my mobile account, decidedly not with Authy in this case :blobcatsweat:
@EndlessMason the answer is “it depends”. Many jurisdictions have requirements to report when customer/personal data was storen. US public companies have an obligation to report “material” breaches to the SEC. What “material” means is where things get complicated. The spirit of the requirement is to disclose incidents that could or will affect the financial performance/stock price of the company. In my experience, there’s a lot of analysis on whether a given incident is “material” and if it’s not, we the public, are likely to never hear about it.
@jerry I’d like to know which authenticator app you use and/or recommend.
Might not be a big deal. One hopes that people who use 2FA auth apps are a little more mindful and harder to phish than the average person.
Plus, all phone numbers are already leaked. A FOR-NEXT loop in BASIC can generate all phone numbers. NPA-NXX prefixes are known if you want to make it a little smarter. Then feed it to your robo-dialer/texter.
@jerry this makes me so glad I deleted my Authy account tbh. This is why we can never trust any services that don’t provide its source code to the general public.
@jerry They say they "no longer allow unauthenticated requests".
Maybe it's clumsily worded, but... did they previously allow them...?!
It seems silly but this might be how Optus was breached in Australia. One theory was that the endpoint was deliberately opened for testing, and then they just forgot to close it.
@jerry they should have used a secure, professional third party authorization service, obviously, instead of rolling their own. Sheesh! When will people learn.