Google-owned security house Mandiant’s investigation into how its X account was taken over to push cryptocurrency scams concludes the “likely” cause was a successful brute-force password attack.
The natural reaction to this would be to ask why two/multi-factor authentication didn’t prevent this from taking place. Well, Mandiant’s carefully worded response basically said it wasn’t implemented.
“Normally, 2FA would have mitigated this, but due to some team transitions and a change in X’s 2FA policy, we were not adequately protected,” it posted via its now recovered account. “We’ve made changes to our process to ensure this doesn’t happen again.”
