Google's two-factor glitch ends in 4chan attack

A flaw in Google's account-recovery process has resulted in CloudFlare CEO Matthew Prince losing control of his Google Apps for Business account, despite it being protected with two-factor authentication.

CloudFlare has been the unfortunate victim of an attack that used social engineering, which compromised two highly protected email accounts. It was ultimately directed at popular internet forum 4chan, for which CloudFlare acts as a host. In a blog post, Prince said that the attack on his company and himself may have begun in mid-May — he received an account-recovery request for his personal Gmail account then, even though he had not started the recovery process himself.

Prince was using a 20+ character, highly randomised password; however, the hackers were able to bypass it by asking Google for an account reset. One option for recovering an account is to have Google send a confirmation code to the phone number associated with the account, and where SMS is not available, it sends the code as a voice call. Prince believes that the hackers began the recovery process and intercepted the confirmation code by socially engineering US telco AT&T's support staff to gain access to his voicemail, where the code would have ended up.