That's certainly what they want you to take away from it, but is it what they actually said?
Failing to rate limit login attempts is a fuzzy sort of failure. I would probably call it a "vulnerability", but I wouldn't call it a "breach" to take advantage of it to figure out someone's password.
To me, this reads as a carefully crafted non-denial that looks like a denial if you don't really pay close attention.
Failing to rate limit login attempts is a fuzzy sort of failure. I would probably call it a "vulnerability", but I wouldn't call it a "breach" to take advantage of it to figure out someone's password.
To me, this reads as a carefully crafted non-denial that looks like a denial if you don't really pay close attention.