Duo.com, the 2FA scheme Instagram and GitHub uses, and you can use on your own website, does not connect your phone to your account (in the knows your number, IMEI or location sense).
Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents.
Passwords are not a shitty defense. The vast majority of password cracking is done by social engineering.
you are talking utter bollocks, the vast majority of password cracking is done via breaches
Podesta's emails were gathered by phishing
VK Data Breach: Russian social media site VK was hacked, exposing 93 million names, phone numbers, email addresses, and plain text passwords.
FriendFinder Network Breach: Attack vector Cracked password. Websites like Adult Friend Finder, Penthouse.com, Cams.com, iCams.com, and Stripshow.com were affected. Most of the passwords were protected only by the weak SHA-1 hashing algorithm, which meant that 99% of them had been cracked by the time LeakedSource.com published its analysis.
MySpace Data Breach: In June 2013, around 360 million MySpace accounts were compromised by a Russian hacker. The incident was not publicly disclosed until 2016.
LastPass Data Breach: Hackers compromised the laptop of a LastPass DevOps engineer to gain access to customer personal data, potentially impacting 30 million of LastPass’ users.
Plex Data Breach: Streaming platform Plex suffered a data breach impacting most of its users, approximately 20 million. The compromised information included usernames, email addresses, and passwords.
North Face Data Breach: Roughly 200,000 North Face accounts were compromised in a credential stuffing attack. These accounts included full names, purchase histories, billing addresses, shipping addresses, phone numbers, account holders' genders, and XPLR Pass reward records.
passwords a quite a shitty defence
Duo.com, the 2FA scheme Instagram and GitHub uses, and you can use on your own website, does not connect your phone to your account (in the knows your number, IMEI or location sense).
But you managed to shoehorn CBDC into it again
How 50% of telco Orange Spain’s traffic got hijacked — a weak password
https://doublepulsar.com/how-50-of-telco-orange-spains-traffic-got-hijacked-a-weak-password-d7cde085b0c5?gi=519e9074506a
https://arstechnica.com/security/2024/01/microsoft-network-breached-through-password-spraying-by-russian-state-hackers/
you are talking utter bollocks, the vast majority of password cracking is done via breaches
Podesta's emails were gathered by phishing
VK Data Breach: Russian social media site VK was hacked, exposing 93 million names, phone numbers, email addresses, and plain text passwords.
FriendFinder Network Breach: Attack vector Cracked password. Websites like Adult Friend Finder, Penthouse.com, Cams.com, iCams.com, and Stripshow.com were affected. Most of the passwords were protected only by the weak SHA-1 hashing algorithm, which meant that 99% of them had been cracked by the time LeakedSource.com published its analysis.
MySpace Data Breach: In June 2013, around 360 million MySpace accounts were compromised by a Russian hacker. The incident was not publicly disclosed until 2016.
LastPass Data Breach: Hackers compromised the laptop of a LastPass DevOps engineer to gain access to customer personal data, potentially impacting 30 million of LastPass’ users.
Plex Data Breach: Streaming platform Plex suffered a data breach impacting most of its users, approximately 20 million. The compromised information included usernames, email addresses, and passwords.
North Face Data Breach: Roughly 200,000 North Face accounts were compromised in a credential stuffing attack. These accounts included full names, purchase histories, billing addresses, shipping addresses, phone numbers, account holders' genders, and XPLR Pass reward records.