Also kind of curious how syncing to Google servers made this attack worse? Not that clear from the article 🤔
As I understand it: The attacker was able to compromise the Google account of that employee. That would have been pretty been in and of itself. Due to this horseshit “sync” feature, though, the attacker was also able grab all those TOTP seeds that can be used to log in to other sites.
What’s unclear to me is how the attacker got to the first factor (probably a normal password). That was probably fished separately? And/Or that employee used the same password everywhere? 🤔