Bron Gondwana: This is why this email was such a surprise. Like the poor quality mailing lists mentioned above, it didn’t require a confirmed opt-in. We had to reply to say that we didn’t want the contact email address changed. This means that a forged source address was sufficient. Even though the attacker couldn’t read … Continue reading When Two-Factor Authentication Is Not Enough