I was mostly offline over the weekend, and gmail refused pop3 this morning with "web login required", and the https://mail.google.com page prompted me for my login/password (I log out when done with the thing I couldn't do without logging in) and then it wanted to SMS me with a phone number it guessed was mine even though I've never given that account my phone number.
I refused to confirm or deny its guess (SMS as a single point of failure for password resets is CREEPY, as if nobody's ever stolen an account via sim spoofing, and broadcasting an attacker-requestable plaintext message to your entire city seems sub-optimal at the best of times) and instead clicked the "help" option, which wanted me to login _again_ with the "old password" and then had more sms options, or I could use the next-of-kin email I gave it in case I died. But it was 2am and she was asleep. (And she gets spammed every time I login from different machine than last time, and hadn't mentioned anything in the household discord channel...) So I closed the tab and went to other windows, but next time I passed that virtual desktop I clicked "get messages" in thunderbird out of sheer habit... and it worked. And I can send too. It looks like giving my password to the webpage counts as "web login" that unblocked pop3 and smtp access. Only web access has the "additional confirmation" gating popups after the fact. (So basically https://ohai.social/@dcoderlt/111862395847437251 but professional.) Anyway... was there a breach I'm not aware of? This week's seems to be https://tech.co/news/google-accounts-hacked-without-passwords but again I don't stay logged in when not actively fishing false positives out of the spam filter, and I usually "pkill -f renderer" the other tabs before doing that (on general principles)... *shrug* Weird. Rob (Yes, gmail unsubscribed Ed Maste of the FreeBSD foundation from this list again last week with spam filter delivery refusal, and yes now that linux-kernel moved from vger to the new server I'm getting daily "bounce probe" emails due to refused email delivery there too, but that's just gmail being gmail...) _______________________________________________ Toybox mailing list Toybox@lists.landley.net http://lists.landley.net/listinfo.cgi/toybox-landley.net