The same threat actor has leaked larger amounts of data from LinkedIn dated 2023. They claim this new data contains 35M lines and is 12 GB uncompressed.

  • spudwart@spudwart.com
    link
    fedilink
    English
    arrow-up
    23
    arrow-down
    11
    ·
    1 year ago

    Was surprised at first, then I went to go log in to change my password.

    And then it said I was emailed a 2FA code… the code was part of the email header.

    Now I’m completely unsurprised this happened.

    • kungen@feddit.nu
      link
      fedilink
      English
      arrow-up
      21
      ·
      1 year ago

      I’m not sure what you’re implying here regarding headers? Email is insecure regardless; even when using SMTP with TLS, it’s not like the headers are exposed whereas the body would be encrypted or something.

      • spudwart@spudwart.com
        link
        fedilink
        English
        arrow-up
        0
        arrow-down
        8
        ·
        edit-2
        1 year ago

        well with PGP, the header is unencrypted. But even with just smtp, the issue is simpler.

        Putting it in the header makes it more accessible.

        various emails could have the header “Is this you?”, and not all of them will hold a 2fa code, and even if they do, they may time out before you can find it and use it.

        But if the email has the header: “Your secure 2fa code is 123456” from “noreply@example.com

        then unsurprisingly, logging into example.com with the user’s email and that 2fa code is going to be a breeze.

        • kungen@feddit.nu
          link
          fedilink
          English
          arrow-up
          11
          ·
          1 year ago

          well with PGP, the header is unencrypted

          Is there a single large company that even sends PGP email?

          logging into example.com with the user’s email and that 2fa code is going to be a breeze

          Sure, IF 1. you already have the user’s password, and 2. a new code wouldn’t be required/the previous code invalidated when initiating a new login session?

          Like, I’m not saying that 2FA codes via email is secure, but you’re implying that they are making a security hole via this - which I don’t see.

            • brothershamus@kbin.social
              link
              fedilink
              arrow-up
              2
              ·
              1 year ago

              I used it. For about 10 minutes. Then I read the help files. Then I searched. Then I used it some more. Then I uninstalled it.

              • jarfil@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                Unless you followed by installing gpg… then you failed. There are tons of uses for it, not necessarily encrypting emails (or more precisely, it kind of sucks at encrypting emails).

          • locuester@lemmy.zip
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            1
            ·
            1 year ago

            Yeah not following the logic. 2FA via email is insecure. Doesn’t matter where in the email. That person is confused about something.

    • corsicanguppy@lemmy.ca
      link
      fedilink
      English
      arrow-up
      18
      arrow-down
      3
      ·
      1 year ago

      the code was part of the

      … part of the Subject header in the encrypted body of the message, you mean? What a nothing-burger.

      • jarfil@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        ·
        1 year ago

        encrypted body of the message

        Encrypted what? LinkedIn lets you add a key/cert to send you encrypted emails?