I just got the email from haveibeenpwned. F Trello.
You must log in or register to comment.
Obligatory: companies should face harsh penalties for this stuff.
tbf it’s just email, username and real name so it’s basically nothing when half of users are name.lastname@gmail.com either way.
For project tools like Trello, a good portion of your userbase is company emails. A malicious actor now has a list of company emails that they can compare against public facing data like Linkedin, imitate a user using a gmail based off their name, sending an email to that company’s IT team asking for an MFA reset sent to the newly created gmail account. Now imagine if that compromised user is a developer with admin access to production environments. These were the conditions for various ransomware attacks.
An email, username, real name are not much, but it’s a foot in the door.
It is a foot in the door but honestly there are way too many doors out there so it’s really hard to measure the real damage of this.
I worked at a pretty major employment company like 20 years ago when basically everything was legal and we didn’t need to buy dark web datasets to find real names and contacts ever - most of that data is publicly available and can be captured with simple public scrapers and email checks.
I think expectation of names and emails being private should be thrown out of the window entirely and every security system should implicitly assume these details are publicly known.
So the conditions I mentioned were directly from a series of ransomware attacks from the group BlackCat including the high profile ransomware incident targeting MGM Casinos last year. My team recently used the same premise during an incident response drill based on that event.
I agree that data security is important, even if it is only email addresses, where many are probably findable in the web anyway. Maybe, the link with the username has some value, but I’d bet only little. In my opinion, harsh penalties are more needed in privacy invasive (in my opinion malware) like google, meta, Amazon etc. are spreading.
The problem is that this data can be combined with other data. An email address by itself isn’t particularly important but when it’s matched up with names, physical addresses, DoB, SSN, other PII and the network of other services with matching data it becomes very serious.
It’s never just this breach, it’s every other breach as well. Every breach makes every preceeding breach more effective and more valuable.
Of course, but where are names, physical addresses, DoB, SSN, etc in this dataset? It’s just mail and username
Other breaches do.
If two breaches have an overlap, e.g. they both contain email address, then they can be joined into a more complete set.
Yes but this wasn’t a data breach. This was a data stuffing incident, meaning they took someone else’s data dump and tried their email and credentials here.
- never use the same username and password in two or more places
- always use MFA, a hard token if you can like a yubikey
Do you own a Yubikey?
Have you ever succeeded in getting it to work with anything??
It didn’t work with gmail, or any other online account I had.
An absolute waste of $$.
15M Trello accounts have been leaked
That title is very misleading. 15M Trello accounts were found to be compromised because of other, previous leaks, but no leak related to Trello occurred.
Can you suggest one? I can modify.
Maybe « 15M Trello accounts compromised from previous leaks »? I tried to keep it short but not so short that it would be misleading, dunno if the right balance is there.
My email has been leaked 20 times now, how lovely
Buddy, you need this more than I do
I exclusively use alias emails and have found the down side. If you use an alias email for each site you visit (let’s say an online shop that is ran by Shopify) there is an extremely high chance your purchase will be flagged (fuck you Shopify) as a fraudulent account. I am constantly being flagged on sites with Shopify back ends for fraud. It really sucks when your hoppy (FPV Drones) is mainly ran by Shopify sites.
P.S. There is no one to help resolve these issues with Shopify as they don’t have a customer support unless you’re a customer and the store owners are either dumb on how to help or just plain lazy.
I’ve just gone over 200 aliases and none of mine are blocked. Are you using a custom domain?
Ebay blocks me everytime. I checkout as guest and usually when I try to order from the same email again, it is indefinitely suspended for reasons they cannot explain to me.
I found a .com domain helps with this. You can find some ugly ones for cheap
I currently own and use a @example.com. My aliases are formatted as such word.word####@domain.com (Example: fast.goat8376@lemmy.com
I’ve started using similar services recently but it was a bit too late haha
It’s never too late. Give it a try. With the 10 free emails you can compartmentalize pretty easily. I pay for Proton Unlimited so it comes with SimpleLogin Premium, so if you want to give it a spin, it doesn’t cost anything.
Hey OP, I’m doing some research. You mind sharing that link in the description of your screenshot?
deleted by creator
Because you think they delete your data?
deleted by creator
I have an active account and it also didn’t pop up in pwned.
What a comment chain
Why isn’t Trello / Atlassian warning about this?
TIL Atlassian owns trello
Because this is the norm for anything atlassian owned/operated…
Is atlassian really that bad?
Meh. More they’re swimming with big fish for about a decade or more now.
It’s not that they’re bad, it’s that their priorities have shifted and they don’t care.
The fact that they have yoinked their self-hosted option that was perfect for small/individual operators means their priorities no longer include growing organically.
A rabid fanbase of individual users is how you achieve meteoric growth. A sysadmin coming into a company that’s looking for a solution is only going to rave about products they have personally had an opportunity to use themselves.
Just like Microsoft with the former MSDN and its low entry costs, Atlassian has shot themselves in the foot and don’t even realize it.
I’d argue they haven’t shot themselves in the foot at all. I agree they’ve fucked over small selfhosters like me but they’re milking the big cows now. Quite frankly they don’t care about us small fry because we don’t generate revenue. This is no different to M$ or now VMWare. They are squeezing the balls of corporate America now they don’t need us anymore. We are an afterthought at best. Relationship is over, better we find a new girlfriend.
327 CVE entries for atlassian. Lots of critical and high severity ones too. Dont use anything by atlassian, unless you want your company getting ransomwared.
Wait til these people hear about phone books
That’s not what it means to breach an account…
How about “leaked”? I chose “breached” because title of mail was “You’re one of 15,111,945 people pwned in the Trello data breach”
No unauthorised access has occurred
I just got this email from Google while reading this. A funny coincidence.
Oh no not my email adress and username
Hello spam, and also confirmation that your email address and username is valid and can be used to try to log in elsewhere.
What do they do with this information? Sell to databrokers?
Yeah mostly for spam but the dataset is massive. 15M emails + real names + usernames is pretty useful for any cold emailing like recruitment and product spam. That being said, using datasets like this legally is a no-no but it’s almost impossible to prove either way.
This should be a locally installed program with a licensing usb dongle or electronic license.
So much company secrets in there…
Dang, the hackers know what I’m planning to do tomorrow.
