Hacker News new | past | comments | ask | show | jobs | submit login

That was exactly my question when I read this. How do they establish trust, when 2FA is revoked? How they prevent that the bad guy enables now 2FA and the god guy is locked out of his account?

May the god guy didn't get the message that Crypto.com had an issue, because s/he is unavailable.




Given that apparently their previous system simply allowed login/payments without the configured mandatory 2FA, per their statements about the root cause of the issue, this may have been a move of desperation...


My thought is maybe they didn’t really do 2FA, but exploited a password reset mechanism that only required 2FA?

IE: single factor resets, so a compromised “2FA” was actually keys to the kingdom?

But you’d think the attacker would need access to a user’s email or some such then.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: