Comment *DEFINITELY* Blame Google (Score 1) 79
Google authenticator worked as intended [
... ]
"NOTABUG: Working as designed."
Yeah, we know, Sparky... The design is fucking idiotic!
It seems clear that one of the OTP codes got them into the rube's account -- the second OTP code allowed them to copy out his Google Authenticator database. If that copy hadn't existed -- and indeed did not exist until Google decided to make copies for itself -- then they would have had to keep pumping him for OTP codes, and the damage would likely have been more limited.
The first compromise can be laid at the feet of the dopey employee. Google bears partial responsibility for all subsequent compromises -- for making and keeping a copy of a sensitive database that the entire security community told them at the time was a STUPID FUCKING IDEA!