I have read over the last couple of weeks about either fairly or extremely big vendors with glaring mistakes. TorcollectiveDnm didnt have 2fA active on their account, but worse than that , Quantik was using an online pgp service.
What the fuck guys !?!?
We all have to remember something, vendors are humans too. They make mistakes, also being a vendor doesn't mean you are well versed in OPSEC or computers in general. Still those are both rather large mistakes.