TfL requires in-person password resets for 30,000 employees after hack
Open link in next tab
Just a moment...
https://www.bleepingcomputer.com/news/security/tfl-requires-in-person-password-resets-for-30-000-employees-after-hack/
https://www.bleepingcomputer.com/news/security/tfl-requires-in-person-password-resets-for-30-000-employees-after-hack/
I imagine this process is more about ensuring the employee is the one entering the new password, rather than the malicious actor - which would easily be possible if a simple password reset email was sent out.
I guess that's possible, but then that user would be locked out of their account and they'd quickly figure out whose account was compromised when the employee can't access things anymore.