Google says hackers used app specific passwords to bypass MFA

A reminder that even MFA isn’t foolproof—app-specific passwords can be a weak link. This attack shows how trust and timing, not tech, were the real weapons. Best to avoid ASPs and use OAuth or passkeys when possible. Big thanks to Google and Citizen Lab for sharing this.