I just got the email from haveibeenpwned. F Trello.

    • ChrislyBear@lemmy.world
      link
      fedilink
      English
      arrow-up
      50
      ·
      10 months ago

      They do, in the EU. If you fuck up your customer’s data, you’ll face fines consisting of hefty percentages of your yearly revenue!

        • JustEnoughDucks@feddit.nl
          link
          fedilink
          English
          arrow-up
          4
          ·
          edit-2
          10 months ago

          Oh noooo, 1% of their yearly gross revenue or 1.3% of their yearly gross profit. What a fine!

          Side note: I would love to discover a public record of them paying these fines… we hear they ate fined, but never that they had to pay them. What is stopping them from cutting a deal of a payment plan over 20 years with 0% interest or full up front but only paying 30% of it or some lobbying BS.

          We can infer that for sure this fine is coming out pre-tax.

    • Tarquinn2049@lemmy.world
      link
      fedilink
      English
      arrow-up
      57
      arrow-down
      19
      ·
      edit-2
      10 months ago

      This is not something a company did.

      The group of people took a list of user names and passwords from a different breach and tried them on trello to see if people used the same password and wrote down which ones did.

      Nothing a company can possibly do to stop this, only users can.

      Even if the company required 2 factor authentication to fully log in, getting this far would still confirm each account/password combo was correct, which is all the “hackers” did.

      • fine_sandy_bottom@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        45
        ·
        10 months ago

        That’s not what happened.

        Attackers queried n email addresses against trello, who responded with names and user names for accounts that existed.

        No one asked trello to publish their names, so that’s a breach.

      • joshhsoj1902@lemmy.ca
        link
        fedilink
        English
        arrow-up
        23
        arrow-down
        2
        ·
        10 months ago

        This isn’t completely true, but it is the current standard.

        A website can detect and block many user/password attempts from the same IP and block IPs that are suspicious.

        Websites can detect elivated login fails across many IPs are react accordingly (It may be reasonable to block all logins for a time if they detect an attack like this)

        I’m sure there are other strategies, I don’t know how often they are actually employed, but I wish companies would start taking this sort of attack more seriously (even if it’s not at all hacking)

        • glitch1985@lemmy.world
          link
          fedilink
          English
          arrow-up
          12
          arrow-down
          2
          ·
          10 months ago

          CGNAT would throw a wrench in that when you have thousands of users using mobile data and they appear to be coming from the same ip.

          • Saik0@lemmy.saik0.com
            link
            fedilink
            English
            arrow-up
            4
            ·
            10 months ago

            You look for trends, not raw numbers. If an ip increase 500%in 10 minutes… throttle it a bit… insert wait times. If it’s trust worthy then allow new value to become normal… otherwise keep the ip throttled.

          • frezik@midwest.social
            link
            fedilink
            English
            arrow-up
            4
            ·
            edit-2
            10 months ago

            Nooooo, people keep telling me IPv6 will be insecure because of no longer having NAT.

            Mostly people who don’t know what a subnet is, but people.

        • sfgifz@lemmy.world
          link
          fedilink
          English
          arrow-up
          6
          arrow-down
          2
          ·
          edit-2
          10 months ago

          It may be reasonable to block all logins for a time if they detect an attack like this

          That would be a P1 incident and probably violate SLAs depending on the duration.

          • Saik0@lemmy.saik0.com
            link
            fedilink
            English
            arrow-up
            8
            arrow-down
            1
            ·
            10 months ago

            Inserting a literally meaningless delay like 5 seconds is sufficient to make your service virtually impenetrable to mass bruteforce/stuffing attacks. Credential stuffing become untenable when your trying to stuff 1million creds with a 5 second cooldown. Most normal users who would hit it would just think their wifi or cell service hicupped.

    • CosmicTurtle@lemmy.world
      link
      fedilink
      English
      arrow-up
      33
      arrow-down
      7
      ·
      10 months ago

      Yes but this wasn’t a data breach. This was a data stuffing incident, meaning they took someone else’s data dump and tried their email and credentials here.

      • never use the same username and password in two or more places
      • always use MFA, a hard token if you can like a yubikey
        • brian@programming.dev
          link
          fedilink
          English
          arrow-up
          2
          ·
          10 months ago

          all the root secrets are available in plain text the generator app at some point, they have to be. moving that to a single purpose device greatly reduces the risk of vulnerabilities in your phone leading to exfiltration via internet connection

        • Kayel@aussie.zone
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          10 months ago

          I cannot think of a use-case outside of statecraft. Maybe companies engaged, or being engaged, in corporate espionage.

      • Paragone@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        9
        ·
        10 months ago

        Do you own a Yubikey?

        Have you ever succeeded in getting it to work with anything??

        It didn’t work with gmail, or any other online account I had.

        An absolute waste of $$.

      • Albatross2724@lemmy.world
        link
        fedilink
        English
        arrow-up
        5
        ·
        10 months ago

        For project tools like Trello, a good portion of your userbase is company emails. A malicious actor now has a list of company emails that they can compare against public facing data like Linkedin, imitate a user using a gmail based off their name, sending an email to that company’s IT team asking for an MFA reset sent to the newly created gmail account. Now imagine if that compromised user is a developer with admin access to production environments. These were the conditions for various ransomware attacks.

        An email, username, real name are not much, but it’s a foot in the door.

        • Dr. Moose@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          10 months ago

          It is a foot in the door but honestly there are way too many doors out there so it’s really hard to measure the real damage of this.

          I worked at a pretty major employment company like 20 years ago when basically everything was legal and we didn’t need to buy dark web datasets to find real names and contacts ever - most of that data is publicly available and can be captured with simple public scrapers and email checks.

          I think expectation of names and emails being private should be thrown out of the window entirely and every security system should implicitly assume these details are publicly known.

          • Albatross2724@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            10 months ago

            So the conditions I mentioned were directly from a series of ransomware attacks from the group BlackCat including the high profile ransomware incident targeting MGM Casinos last year. My team recently used the same premise during an incident response drill based on that event.

    • Petter1@lemm.ee
      link
      fedilink
      English
      arrow-up
      14
      arrow-down
      2
      ·
      10 months ago

      I agree that data security is important, even if it is only email addresses, where many are probably findable in the web anyway. Maybe, the link with the username has some value, but I’d bet only little. In my opinion, harsh penalties are more needed in privacy invasive (in my opinion malware) like google, meta, Amazon etc. are spreading.

      • deadbeef79000@lemmy.nz
        link
        fedilink
        English
        arrow-up
        9
        ·
        10 months ago

        The problem is that this data can be combined with other data. An email address by itself isn’t particularly important but when it’s matched up with names, physical addresses, DoB, SSN, other PII and the network of other services with matching data it becomes very serious.

        It’s never just this breach, it’s every other breach as well. Every breach makes every preceeding breach more effective and more valuable.

          • deadbeef79000@lemmy.nz
            link
            fedilink
            English
            arrow-up
            1
            ·
            10 months ago

            Other breaches do.

            If two breaches have an overlap, e.g. they both contain email address, then they can be joined into a more complete set.

            • aidan@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              arrow-down
              1
              ·
              10 months ago

              Yeah, I don’t think there is much that would be gleamed by combining with this dataset

        • Petter1@lemm.ee
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          1
          ·
          10 months ago

          Of course, but where are names, physical addresses, DoB, SSN, etc in this dataset? It’s just mail and username

          • deadbeef79000@lemmy.nz
            link
            fedilink
            English
            arrow-up
            1
            ·
            10 months ago

            Other breaches do.

            If two breaches have an overlap, e.g. they both contain email address, then they can be joined into a more complete set.

  • TargaryenTKE@lemmy.world
    link
    fedilink
    English
    arrow-up
    55
    arrow-down
    2
    ·
    10 months ago

    Literally never heard of Trello in my life until today…when my boss sent me a link to join their board…

    • funkless_eck@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      15
      ·
      10 months ago

      Do you work in any kind of corporate or business services sector? It feels so ubiquitous to me I’m surprised it’s only 13 years old.

      • TargaryenTKE@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        10 months ago

        I work for a small (but successful) company that is starting to get their shit together and actually build resources instead of saying “Well, just do what we did 3 years ago” to someone who has no idea what they’re talking about

      • Sentient_Modem@lemm.ee
        link
        fedilink
        English
        arrow-up
        12
        arrow-down
        1
        ·
        10 months ago

        I exclusively use alias emails and have found the down side. If you use an alias email for each site you visit (let’s say an online shop that is ran by Shopify) there is an extremely high chance your purchase will be flagged (fuck you Shopify) as a fraudulent account. I am constantly being flagged on sites with Shopify back ends for fraud. It really sucks when your hoppy (FPV Drones) is mainly ran by Shopify sites.

        P.S. There is no one to help resolve these issues with Shopify as they don’t have a customer support unless you’re a customer and the store owners are either dumb on how to help or just plain lazy.

        • Swarfega@lemm.ee
          link
          fedilink
          English
          arrow-up
          4
          arrow-down
          1
          ·
          10 months ago

          I’ve just gone over 200 aliases and none of mine are blocked. Are you using a custom domain?

        • Kayel@aussie.zone
          link
          fedilink
          English
          arrow-up
          1
          ·
          10 months ago

          I found a .com domain helps with this. You can find some ugly ones for cheap

        • /home/pineapplelover@lemm.ee
          link
          fedilink
          English
          arrow-up
          1
          ·
          10 months ago

          Ebay blocks me everytime. I checkout as guest and usually when I try to order from the same email again, it is indefinitely suspended for reasons they cannot explain to me.

        • Jamyang@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          1
          ·
          10 months ago

          Here is what you should have done. Get a cheap ass domain and signup for Zoho’s email service which is totally free. I bought a cheap domain from them. The price is very reasonable. Then AI proceeded to make use of their free email suite service, which requires your custom domain (hence the cheap domain purchase). The free email suite gives you give free email accounts. Each email account in turn has unlimited alias feature. I use their email accounts each for different uses (work, social media, etc). For only 10$ a year, I do not suffer from spam, promotions and shit. I use a dedicated alias for cookiebeggars and registration mofos who won’t let you see their content. Another alias for a pathetic spamming shopping site etc. They have a mail client for all platforms so no issue with accessibility. The email has calendar, bookmarking, note taking and other small managerial stuff too. I recomend this approach.

      • simple@lemm.ee
        link
        fedilink
        English
        arrow-up
        2
        ·
        10 months ago

        I’ve started using similar services recently but it was a bit too late haha

        • /home/pineapplelover@lemm.ee
          link
          fedilink
          English
          arrow-up
          1
          ·
          10 months ago

          It’s never too late. Give it a try. With the 10 free emails you can compartmentalize pretty easily. I pay for Proton Unlimited so it comes with SimpleLogin Premium, so if you want to give it a spin, it doesn’t cost anything.

  • colonelp4nic@lemmy.world
    link
    fedilink
    English
    arrow-up
    45
    arrow-down
    6
    ·
    10 months ago

    “Breached” implies that sensitive data, like payment details, private communication, or physical addresses, were leaked. Instead, this is just semi-public stuff like email/username/name. Maybe a better title would be “15M Trello users have been identified (name/email)”

    • syd@lemy.lolOP
      link
      fedilink
      English
      arrow-up
      28
      arrow-down
      1
      ·
      edit-2
      10 months ago

      Of course. But are you sure “identified” is correct word here? I chose “breached” because title of mail was “You’re one of 15,111,945 people pwned in the Trello data breach”

      • colonelp4nic@lemmy.world
        link
        fedilink
        English
        arrow-up
        21
        arrow-down
        1
        ·
        10 months ago

        I think it’s reasonable that you chose that title based on the email header, and I also think it’s very irresponsible of haveibeenpwned to send out an email with that subject line. They absolutely should know better.

        • scarilog@lemmy.world
          link
          fedilink
          English
          arrow-up
          4
          ·
          10 months ago

          It’s a breach. Name and username should not be publically accessible using the email address alone.

  • DreamButt@lemmy.world
    link
    fedilink
    English
    arrow-up
    28
    ·
    10 months ago

    Funny. Back in my l337 days public Trello boards were one of the easy ways to get passwords. People would put shared passwords for team accounts just on their board, in plain text

  • mark@programming.dev
    link
    fedilink
    English
    arrow-up
    25
    arrow-down
    1
    ·
    10 months ago

    Hey OP, I’m doing some research. You mind sharing that link in the description of your screenshot?

  • ombremad@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    21
    arrow-down
    1
    ·
    10 months ago

    15M Trello accounts have been leaked

    That title is very misleading. 15M Trello accounts were found to be compromised because of other, previous leaks, but no leak related to Trello occurred.

      • ombremad@lemmy.blahaj.zone
        link
        fedilink
        English
        arrow-up
        1
        ·
        10 months ago

        Maybe « 15M Trello accounts compromised from previous leaks »? I tried to keep it short but not so short that it would be misleading, dunno if the right balance is there.

        • whoisearth@lemmy.ca
          link
          fedilink
          English
          arrow-up
          5
          ·
          10 months ago

          Meh. More they’re swimming with big fish for about a decade or more now.

          It’s not that they’re bad, it’s that their priorities have shifted and they don’t care.

          • rekabis@lemmy.ca
            link
            fedilink
            English
            arrow-up
            4
            ·
            10 months ago

            The fact that they have yoinked their self-hosted option that was perfect for small/individual operators means their priorities no longer include growing organically.

            A rabid fanbase of individual users is how you achieve meteoric growth. A sysadmin coming into a company that’s looking for a solution is only going to rave about products they have personally had an opportunity to use themselves.

            Just like Microsoft with the former MSDN and its low entry costs, Atlassian has shot themselves in the foot and don’t even realize it.

            • whoisearth@lemmy.ca
              link
              fedilink
              English
              arrow-up
              1
              ·
              10 months ago

              I’d argue they haven’t shot themselves in the foot at all. I agree they’ve fucked over small selfhosters like me but they’re milking the big cows now. Quite frankly they don’t care about us small fry because we don’t generate revenue. This is no different to M$ or now VMWare. They are squeezing the balls of corporate America now they don’t need us anymore. We are an afterthought at best. Relationship is over, better we find a new girlfriend.

    • trustnoone@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      22
      ·
      10 months ago

      It’s a kanban board that atlassian a popular company that makes apps for developers bought out.

      Not sure if you used a kanban board before but basically you put items that need to be done in columns with typical headers (can be changed) of “to do, doing, blocked, done”. So that one can keep track of work/goals etc.

        • Takumidesh@lemmy.world
          link
          fedilink
          English
          arrow-up
          18
          ·
          10 months ago

          Kanban was actually developed by an engineer at Toyota to be used to help organize and plan tasks on the assembly line. It’s not strictly a development tool.

        • trustnoone@lemmy.sdf.org
          link
          fedilink
          English
          arrow-up
          7
          ·
          edit-2
          10 months ago

          To add to the other users comment about it not being strictly a tech tool. Many people are using it to keep track of their New Year Resolutions :D. 🎊 Happy New Year

    • _dev_null@lemmy.zxcvn.xyz
      link
      fedilink
      English
      arrow-up
      3
      ·
      10 months ago

      Get something like splunk to do it. I’m wondering what the rules for this might look like, especially if this was e.g. distributed scraping.

      • tsonfeir@lemm.ee
        link
        fedilink
        English
        arrow-up
        2
        ·
        10 months ago

        With a site that active, they really need something that can’t identify strange traffic patterns. Hell, maybe they do but no one cared to do anything. Maybe no one listens to IT… that never happens /s

  • Appoxo@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    6
    arrow-down
    1
    ·
    edit-2
    10 months ago

    This should be a locally installed program with a licensing usb dongle or electronic license.

    So much company secrets in there…