I just got the email from haveibeenpwned. F Trello.
You must log in or register to comment.
Obligatory: companies should face harsh penalties for this stuff.
This is not something a company did.
The group of people took a list of user names and passwords from a different breach and tried them on trello to see if people used the same asswird and wrote down which ones did.
Nothing a company can possibly do to stop this, only users can.
Even if the company required 2 factor authentication to fully log in, getting this far would still confirm each account/password combo was correct, which is all the “hackers” did.
That’s not what happened.
Attackers queried n email addresses against trello, who responded with names and user names for accounts that existed.
No one asked trello to publish their names, so that’s a breach.
This isn’t completely true, but it is the current standard.
A website can detect and block many user/password attempts from the same IP and block IPs that are suspicious.
Websites can detect elivated login fails across many IPs are react accordingly (It may be reasonable to block all logins for a time if they detect an attack like this)
I’m sure there are other strategies, I don’t know how often they are actually employed, but I wish companies would start taking this sort of attack more seriously (even if it’s not at all hacking)
I agree that data security is important, even if it is only email addresses, where many are probably findable in the web anyway. Maybe, the link with the username has some value, but I’d bet only little. In my opinion, harsh penalties are more needed in privacy invasive (in my opinion malware) like google, meta, Amazon etc. are spreading.
The problem is that this data can be combined with other data. An email address by itself isn’t particularly important but when it’s matched up with names, physical addresses, DoB, SSN, other PII and the network of other services with matching data it becomes very serious.
It’s never just this breach, it’s every other breach as well. Every breach makes every preceeding breach more effective and more valuable.
Of course, but where are names, physical addresses, DoB, SSN, etc in this dataset? It’s just mail and username
Other breaches do.
If two breaches have an overlap, e.g. they both contain email address, then they can be joined into a more complete set.
My email has been leaked 20 times now, how lovely
Buddy, you need this more than I do
I exclusively use alias emails and have found the down side. If you use an alias email for each site you visit (let’s say an online shop that is ran by Shopify) there is an extremely high chance your purchase will be flagged (fuck you Shopify) as a fraudulent account. I am constantly being flagged on sites with Shopify back ends for fraud. It really sucks when your hoppy (FPV Drones) is mainly ran by Shopify sites.
P.S. There is no one to help resolve these issues with Shopify as they don’t have a customer support unless you’re a customer and the store owners are either dumb on how to help or just plain lazy.
Here is what you should have done. Get a cheap ass domain and signup for Zoho’s email service which is totally free. I bought a cheap domain from them. The price is very reasonable. Then AI proceeded to make use of their free email suite service, which requires your custom domain (hence the cheap domain purchase). The free email suite gives you give free email accounts. Each email account in turn has unlimited alias feature. I use their email accounts each for different uses (work, social media, etc). For only 10$ a year, I do not suffer from spam, promotions and shit. I use a dedicated alias for cookiebeggars and registration mofos who won’t let you see their content. Another alias for a pathetic spamming shopping site etc. They have a mail client for all platforms so no issue with accessibility. The email has calendar, bookmarking, note taking and other small managerial stuff too. I recomend this approach.
I’ve just gone over 200 aliases and none of mine are blocked. Are you using a custom domain?
That’s not what it means to breach an account…
How about “leaked”? I chose “breached” because title of mail was “You’re one of 15,111,945 people pwned in the Trello data breach”
But it’s not really leaked either
☹️
If info was not public available, would call that „leaked“.
15M Trello accounts have been leaked
That title is very misleading. 15M Trello accounts were found to be compromised because of other, previous leaks, but no leak related to Trello occurred.
Wait til these people hear about phone books
Why isn’t Trello / Atlassian warning about this?
TIL Atlassian owns trello
This is the company who took weeks to restore customer backups.
Because this is the norm for anything atlassian owned/operated…
Is atlassian really that bad?
Meh. More they’re swimming with big fish for about a decade or more now.
It’s not that they’re bad, it’s that their priorities have shifted and they don’t care.
The fact that they have yoinked their self-hosted option that was perfect for small/individual operators means their priorities no longer include growing organically.
A rabid fanbase of individual users is how you achieve meteoric growth. A sysadmin coming into a company that’s looking for a solution is only going to rave about products they have personally had an opportunity to use themselves.
Just like Microsoft with the former MSDN and its low entry costs, Atlassian has shot themselves in the foot and don’t even realize it.
“Breached” implies that sensitive data, like payment details, private communication, or physical addresses, were leaked. Instead, this is just semi-public stuff like email/username/name. Maybe a better title would be “15M Trello users have been identified (name/email)”
Of course. But are you sure “identified” is correct word here? I chose “breached” because title of mail was “You’re one of 15,111,945 people pwned in the Trello data breach”
This should be a locally installed program with a licensing usb dongle or electronic license.
So much company secrets in there…
Where they sell these data? I want to check if my password is compromised…
Hey OP, I’m doing some research. You mind sharing that link in the description of your screenshot?
No unauthorised access has occurred
What do they do with this information? Sell to databrokers?
Nobody watches sever logs 😞
Get something like splunk to do it. I’m wondering what the rules for this might look like, especially if this was e.g. distributed scraping.
