It’s true that existing sessions are revoked; because the password was reset
The reason the target wouldn’t get any notifications at all would be in the case they never setup any additional verification methods to receive these notifications to, since this only worked on accounts w/o 2FA
You can test this on your own account, if you have 2FA enabled and reset your password, you’ll receive notifications to whatever option you have enabled
Also, if you reset the password, it doesn’t remove all 2FA methods on the account (you can test this)
So assuming a threat actor reset the password, they would attempt to login with the correct password but would still need the 2FA code or approval
> “In case you're wondering, because the system treats this high-privilege recovery flow as a total account reset by the "true" owner, the original 2FA gets thoroughly bypassed in the process.“
This is false.
Important to note this did not work if your account had 2FA of any kind
e.g if you had a time based authenticator enabled, after the AI gave you the code to reset the password, it had no notable privileges beyond that
This is actually what microsoft does for microsoft accounts
If you recover a microsoft account / submit a ticket to recover it and provide correct information, the active email gets an email letting them know about the request
You can deny it, or if you ignore it for 30 days the request goes through
And he has been and continues to make fun of the investigators, publicly mocking investigators and sending small amounts from the fraudulent wallets to investigators.
You can use bitcoin completely/as anonymously as cash if you wanted to, the same way you’d have to put in a bit of effort to have a completely anonymous cash transaction.
Monero (XMR) which is a fork of bitcoin, is much closer to actual cash
Would show any logins or security info updates etc