607
submitted 10 months ago* (last edited 10 months ago) by syd@lemy.lol to c/technology@lemmy.world

I just got the email from haveibeenpwned. F Trello.

top 50 comments
sorted by: hot top controversial new old
[-] fine_sandy_bottom@discuss.tchncs.de 175 points 10 months ago

Obligatory: companies should face harsh penalties for this stuff.

[-] Tarquinn2049@lemmy.world 56 points 10 months ago* (last edited 10 months ago)

This is not something a company did.

The group of people took a list of user names and passwords from a different breach and tried them on trello to see if people used the same password and wrote down which ones did.

Nothing a company can possibly do to stop this, only users can.

Even if the company required 2 factor authentication to fully log in, getting this far would still confirm each account/password combo was correct, which is all the "hackers" did.

[-] fine_sandy_bottom@discuss.tchncs.de 45 points 10 months ago

That's not what happened.

Attackers queried n email addresses against trello, who responded with names and user names for accounts that existed.

No one asked trello to publish their names, so that's a breach.

[-] joshhsoj1902@lemmy.ca 23 points 10 months ago

This isn't completely true, but it is the current standard.

A website can detect and block many user/password attempts from the same IP and block IPs that are suspicious.

Websites can detect elivated login fails across many IPs are react accordingly (It may be reasonable to block all logins for a time if they detect an attack like this)

I'm sure there are other strategies, I don't know how often they are actually employed, but I wish companies would start taking this sort of attack more seriously (even if it's not at all hacking)

[-] glitch1985@lemmy.world 11 points 10 months ago

CGNAT would throw a wrench in that when you have thousands of users using mobile data and they appear to be coming from the same ip.

load more comments (2 replies)
[-] sfgifz@lemmy.world 6 points 10 months ago* (last edited 10 months ago)

It may be reasonable to block all logins for a time if they detect an attack like this

That would be a P1 incident and probably violate SLAs depending on the duration.

[-] Saik0Shinigami@lemmy.saik0.com 8 points 10 months ago

Inserting a literally meaningless delay like 5 seconds is sufficient to make your service virtually impenetrable to mass bruteforce/stuffing attacks. Credential stuffing become untenable when your trying to stuff 1million creds with a 5 second cooldown. Most normal users who would hit it would just think their wifi or cell service hicupped.

load more comments (1 replies)
[-] ChrislyBear@lemmy.world 48 points 10 months ago

They do, in the EU. If you fuck up your customer's data, you'll face fines consisting of hefty percentages of your yearly revenue!

[-] far_university1990@feddit.de 18 points 10 months ago

https://www.enforcementtracker.com/

Yep, hefty. Top 5: 1.2B meta, 746M amazon, 405M meta, 390M meta, 345M tiktok (all in €).

load more comments (1 replies)
[-] CosmicTurtle@lemmy.world 31 points 10 months ago

Yes but this wasn't a data breach. This was a data stuffing incident, meaning they took someone else's data dump and tried their email and credentials here.

  • never use the same username and password in two or more places
  • always use MFA, a hard token if you can like a yubikey
[-] fine_sandy_bottom@discuss.tchncs.de 12 points 10 months ago

It's a breach.

Attackers queried email addresses and trello responded with names and user names.

[-] drmoose@lemmy.world 6 points 10 months ago

real names is definitely a breach

load more comments (1 replies)
load more comments (9 replies)
[-] drmoose@lemmy.world 18 points 10 months ago* (last edited 10 months ago)

tbf it's just email, username and real name so it's basically nothing when half of users are name.lastname@gmail.com either way.

load more comments (3 replies)
[-] Petter1@lemm.ee 13 points 10 months ago

I agree that data security is important, even if it is only email addresses, where many are probably findable in the web anyway. Maybe, the link with the username has some value, but I’d bet only little. In my opinion, harsh penalties are more needed in privacy invasive (in my opinion malware) like google, meta, Amazon etc. are spreading.

[-] deadbeef79000@lemmy.nz 8 points 10 months ago

The problem is that this data can be combined with other data. An email address by itself isn't particularly important but when it's matched up with names, physical addresses, DoB, SSN, other PII and the network of other services with matching data it becomes very serious.

It's never just this breach, it's every other breach as well. Every breach makes every preceeding breach more effective and more valuable.

load more comments (5 replies)
[-] TargaryenTKE@lemmy.world 55 points 10 months ago

Literally never heard of Trello in my life until today...when my boss sent me a link to join their board...

[-] funkless_eck@sh.itjust.works 15 points 10 months ago

Do you work in any kind of corporate or business services sector? It feels so ubiquitous to me I'm surprised it's only 13 years old.

load more comments (1 replies)
[-] DarkDarkHouse@lemmy.sdf.org 12 points 10 months ago

Wow that was fast, how many board members were removed?

[-] simple@lemm.ee 47 points 10 months ago

My email has been leaked 20 times now, how lovely

[-] pineapplelover@lemm.ee 33 points 10 months ago* (last edited 10 months ago)
[-] paraphrand@lemmy.world 28 points 10 months ago

Things like this only work until platforms block the domains due to abuse.

[-] rikudou@lemmings.world 14 points 10 months ago

Bring your own domain! I use addy.io with my own domains.

load more comments (1 replies)
load more comments (2 replies)
[-] Sentient_Modem@lemm.ee 12 points 10 months ago

I exclusively use alias emails and have found the down side. If you use an alias email for each site you visit (let’s say an online shop that is ran by Shopify) there is an extremely high chance your purchase will be flagged (fuck you Shopify) as a fraudulent account. I am constantly being flagged on sites with Shopify back ends for fraud. It really sucks when your hoppy (FPV Drones) is mainly ran by Shopify sites.

P.S. There is no one to help resolve these issues with Shopify as they don’t have a customer support unless you’re a customer and the store owners are either dumb on how to help or just plain lazy.

load more comments (5 replies)
load more comments (2 replies)
[-] colonelp4nic@lemmy.world 44 points 10 months ago

"Breached" implies that sensitive data, like payment details, private communication, or physical addresses, were leaked. Instead, this is just semi-public stuff like email/username/name. Maybe a better title would be "15M Trello users have been identified (name/email)"

[-] syd@lemy.lol 27 points 10 months ago* (last edited 10 months ago)

Of course. But are you sure “identified” is correct word here? I chose “breached” because title of mail was “You're one of 15,111,945 people pwned in the Trello data breach”

[-] colonelp4nic@lemmy.world 21 points 10 months ago

I think it's reasonable that you chose that title based on the email header, and I also think it's very irresponsible of haveibeenpwned to send out an email with that subject line. They absolutely should know better.

load more comments (1 replies)
[-] tdawg@lemmy.world 28 points 10 months ago

Funny. Back in my l337 days public Trello boards were one of the easy ways to get passwords. People would put shared passwords for team accounts just on their board, in plain text

[-] trustnoone@lemmy.sdf.org 7 points 10 months ago

Yeah even api and secret keys!

[-] mark@programming.dev 25 points 10 months ago

Hey OP, I'm doing some research. You mind sharing that link in the description of your screenshot?

[-] ombremad 21 points 10 months ago

15M Trello accounts have been leaked

That title is very misleading. 15M Trello accounts were found to be compromised because of other, previous leaks, but no leak related to Trello occurred.

load more comments (2 replies)
[-] tias@discuss.tchncs.de 17 points 10 months ago

Why isn't Trello / Atlassian warning about this?

[-] unexposedhazard@discuss.tchncs.de 10 points 10 months ago

Because this is the norm for anything atlassian owned/operated...

load more comments (5 replies)
[-] synae@lemmy.sdf.org 7 points 10 months ago

TIL Atlassian owns trello

load more comments (1 replies)
[-] Usernameblankface@lemmy.world 15 points 10 months ago

Dumb question time

What is Trello?

[-] trustnoone@lemmy.sdf.org 22 points 10 months ago

It's a kanban board that atlassian a popular company that makes apps for developers bought out.

Not sure if you used a kanban board before but basically you put items that need to be done in columns with typical headers (can be changed) of "to do, doing, blocked, done". So that one can keep track of work/goals etc.

[-] Usernameblankface@lemmy.world 9 points 10 months ago

I definitely have not used a kanban board. It seems I am far less involved in the technical world than most Lemmy users

[-] Takumidesh@lemmy.world 18 points 10 months ago

Kanban was actually developed by an engineer at Toyota to be used to help organize and plan tasks on the assembly line. It's not strictly a development tool.

[-] trustnoone@lemmy.sdf.org 7 points 10 months ago* (last edited 10 months ago)

To add to the other users comment about it not being strictly a tech tool. Many people are using it to keep track of their New Year Resolutions :D. 🎊 Happy New Year

[-] ryannathans@aussie.zone 14 points 10 months ago

No unauthorised access has occurred

[-] construct_@lemmy.ca 13 points 10 months ago

Wait til these people hear about phone books

[-] BaardFigur@lemmy.world 13 points 10 months ago

I literally just closed my trello account in october 23, after having it open for 6 years. Looks like I made a good call

[-] Kbobabob@lemmy.world 31 points 10 months ago

Because you think they delete your data?

[-] BaardFigur@lemmy.world 11 points 10 months ago

Well, I checked and my mail didn't appear as pwned from the Trello incident

[-] j_overgrens@feddit.nl 6 points 10 months ago

I have an active account and it also didn't pop up in pwned.

load more comments (1 replies)
[-] tsonfeir@lemm.ee 10 points 10 months ago

Nobody watches sever logs 😞

load more comments (2 replies)
[-] Appoxo@lemmy.dbzer0.com 6 points 10 months ago* (last edited 10 months ago)

This should be a locally installed program with a licensing usb dongle or electronic license.

So much company secrets in there...

load more comments
view more: next ›
this post was submitted on 22 Jan 2024
607 points (100.0% liked)

Technology

59673 readers
2914 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS