Attackers Turn Password Recovery Into BackdoorAssault on CloudFlare shows that companies need to pay attention to how their security services are locked down, and how the credentials for those services can be recovered.
Matthew Prince thought he had done everything right to secure his business e-mail account.
The CEO of CloudFlare, a website protection company, had used a complex and unique password as well as two-factor authentication to lock down access to his account on the company's Google-hosted e-mail service. Yet attackers found a different way to get in: The account recovery process used Prince's personal e-mail address, which--while it had a complex password--did not have other security protections. By social-engineering his mobile phone provider (AT&T) and exploiting Google's process for resetting passwords over the phone, the malicious group gained access to Prince's personal e-mail, and then leveraged that to recover the credentials for CloudFlare's e-mail system.
Read the rest of this article on Dark Reading.
Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity Dark Reading supplement shows how to strengthen them. (Free registration required.)