With Verizon on the phone, it was a fairly simple matter to re-reset the portal password, set an account PIN to prevent attacker re-entry and un-do the phone forward. But the attacker had access for a solid 4 hours, what mischief did he get up to in that time? Surprisingly little. The attacker was able to add a new device to the employee’s Authy account (which we revoked), but didn’t actually try to use it. As far as we could tell (and can tell to this day) the attacker did nothing else. We reviewed access logs from the employee’s personal and corporate online presence with no unusual findings. Because this employee is awesome, he uses a password manager to establish long, random and unique passwords across all his services, has two-factor authentication (2fa) set up everywhere and uses more long, random strings as answers to his account recovery questions. He was locked down tight.