Hacker News new | past | comments | ask | show | jobs | submit login

This article massively overhypes the breach. 2FA and password resets have a very short window of validity. The database contained historical messages and did not operate in real-time.



How do you know it didn’t operate in real-time? The article doesn’t contain enough information to know.


If it wasn’t real time then how would short lived auth solutions even work?


I understand they mean the database


Perhaps, but you're also making a lot of assumptions about the security practices of companies that send you info via SMS.


To your point: I can count on two hands the number of companies I've encountered that iterate HOTP on use rather than on issuance.

...which means there are bound to be a few stale but still active SMS codes lingering in there from people who attempted but did not complete authentication e.g. because they entered the wrong number or didn't have access to the number they attempted to use when signing in. Services impacted are any which allow for users to authenticate with _just_ SMS HOTP and which don't expire unused codes. That number is unfortunately high enough for me to think that this is equatable to a small credential breach.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: