> The attacker already had access to ... my Google Authenticator codes, because Google had cloud-synced my codes.

This was such an obvious mis-feature I can't believe they actually rolled it out. For those using Google Authenticator you can and should disable cloud sync of your TOTP codes.

▲

Flimm 4 days ago | parent [-]

I can understand it. Ordinary users were getting locked out of their accounts when losing their phones. Some of those stories hit HN.

Don't disable cloud sync unless you have a backup of all your TPTP secret keys. It's dangerous to advise people to disable cloud sync without mentioning backups. Being locked out of thousands of dollars in your crypto account is as damaging as losing that crypto to hackers.

▲

cbdumas 4 days ago | parent [-]

In that case wouldn't you be better off just disabling 2FA? The problem with the cloud sync is that users like the one in the article think they have 2FA but in fact if their Google account is compromised all their accounts using Google Authenticator TOTP second factors are also compromised.

	▲	hocuspocus 4 days ago \| parent [-]
		It's the same thing with Apple Passwords. TOTP isn't that great, you should definitely use a hardware and/or pass key for important and financial services. That said your cloud synced Google Authenticator can be behind a Google account with strong 2FA (i.e. not SMS nor TOTP), then it's mostly fine. The lesson here is really not to ever share codes you receive by SMS, and preferably disable phone as recovery and second factor.