This week I learned that Google’s account security is retarded enough to send you push notifications to any Google owned iPhone app you’re logged into to approve a forgot password account recovery workflow. The push notification will override TOTP MFA you have set up with the account. Some attacker has been spamming me for more than a month and I finally just deleted the gmail app. Then it sent to the YouTube app… Apparently the only solution, other than deleting or logging out of every Google app, is using their advanced protection program requiring hardware keys. (Inb4 stop using google, bro. I switched to duck dot com burner emails and proton years ago. It’s a long process fully decoupling)