> We received a list of email addresses linked to the [North Korean] hacker group, and one of them matched the email the candidate used to apply to Kraken.
Don't passkeys still have tons of vendor lock-in attached? A password I can put into any password manager I want and transfer it to a different password manager and neither the password manager company nor the company for which I made the account is any the wiser.
Some PW managers can store a passkey, but when tied to a device, if the device is compromised then all of your accounts are unless you're also using a yubikey or third device 2fa
I could be wrong or misinformed, but I thought part of the passkey spec included some kind of remote attestation mechanism to facilitate vendor lock-in (ie Google could say its account passkey is only valid if stored in Chrome's password manager, to make up a silly example).
> Their resume was linked to a GitHub profile containing an email address exposed in a past data breach.
How is it an indicator of anything? Any actively used e-mail address that is older than a few years will be listed on haveibeenpwned.