• doppelgangmember@lemmy.world
    link
    fedilink
    arrow-up
    28
    arrow-down
    1
    ·
    edit-2
    1 year ago

    So they brute forced the login?

    No request limiting?

    Wtf

    Edit: yeah it’s just a brute force with less steps. That’s fuckn embarrassing “Credential Stuffing is a subset of the brute force attack category. Brute forcing will attempt to try multiple passwords against one or multiple accounts; guessing a password, in other words. Credential Stuffing typically refers to specifically using known (breached) username / password pairs against other websites.”

    • spookedbyroaches@lemm.ee
      link
      fedilink
      arrow-up
      13
      arrow-down
      1
      ·
      1 year ago

      Just because this method is a subset of the brute force attack doesn’t mean that they don’t have request limiting. They are reusing known breached passwords from other platforms, which makes it basically a guarantee that they will get the right password if they don’t use a password manager. Their computer systems are secure, it’s just their business model that’s a privacy nightmare.

      • doppelgangmember@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        I mean true, there’s nothing you can do with a successful attempt.

        But i feel like this still could have been limited. Required 2FA obvi comes to mind… You can limit rate in a lot of ways.

    • PixxlMan@lemmy.world
      link
      fedilink
      arrow-up
      3
      ·
      1 year ago

      According to the quote they would’ve used breached passwords. You don’t know anything about request limiting. It wasn’t just randomly entering passwords unrestricted, as per your own quote.

    • KillAllPoorPeople@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      1 year ago

      Limits aren’t a concern if you’re controlling a bunch of zombies. The big guys usually have thousands if not hundreds of thousands of 'em.