Source: Dark Reading
by Robert Lemos
In this article “Matthew Prince thought he had done everything right to secure his business e-mail account.
The CEO of CloudFlare, a Web site protection company, had used a complex and unique password as well as two-factor authentication to lock down access to his account on the company’s Google-hosted e-mail service. Yet attackers found a different way to get in: The account recovery process used Prince’s personal e-mail address, which — while it had a complex password — did not have other security protections. By social engineering his mobile-phone provider AT&T, and exploiting Google’s process for resetting passwords over the phone, the malicious group gained access to his personal e-mail and then leveraged that to recover the credentials for CloudFlare’s e-mail system.
“I was aware that they were in my personal e-mail account the instant that it happened, because I got a notice that my e-mail account had been changed,” Prince says. “Once they were in that account, they were able to go to CloudFlare’s Google Apps account … and do an account recovery request.”