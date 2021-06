The summary does not explain clearly the process, neither does the article. It explains that they bought some cookies online. HTTP is a stateless protocolo, and HTTP cookies are the mechanism employed to maintain session information. Therefore, if you clone a cookie you can impersonate a different user. If I understand correctly, a list of the AE slack servers has been accidentally posted online [vice.com], and they obtained the cookies of the slack server corresponding to an AE developer. In this channel, they alleged that their phone was lost, so they could not get the 2FA code required to log in into the development servers at AE. Another AE member simply helped them log in, and it was all done.