15M Trello accounts have been leaked
15M Trello accounts have been leaked
I just got the email from haveibeenpwned. F Trello.
Obligatory: companies should face harsh penalties for this stuff.
162They do, in the EU. If you fuck up your customer's data, you'll face fines consisting of hefty percentages of your yearly revenue!
50https://www.enforcementtracker.com/
Yep, hefty. Top 5: 1.2B meta, 746M amazon, 405M meta, 390M meta, 345M tiktok (all in €).
18
This is not something a company did.
The group of people took a list of user names and passwords from a different breach and tried them on trello to see if people used the same password and wrote down which ones did.
Nothing a company can possibly do to stop this, only users can.
Even if the company required 2 factor authentication to fully log in, getting this far would still confirm each account/password combo was correct, which is all the "hackers" did.
38That's not what happened.
Attackers queried n email addresses against trello, who responded with names and user names for accounts that existed.
No one asked trello to publish their names, so that's a breach.
45This isn't completely true, but it is the current standard.
A website can detect and block many user/password attempts from the same IP and block IPs that are suspicious.
Websites can detect elivated login fails across many IPs are react accordingly (It may be reasonable to block all logins for a time if they detect an attack like this)
I'm sure there are other strategies, I don't know how often they are actually employed, but I wish companies would start taking this sort of attack more seriously (even if it's not at all hacking)
21I mean, passkeys are a thing.
-3
Yes but this wasn't a data breach. This was a data stuffing incident, meaning they took someone else's data dump and tried their email and credentials here.
- never use the same username and password in two or more places
- always use MFA, a hard token if you can like a yubikey
25tbf it's just email, username and real name so it's basically nothing when half of users are name.lastname@gmail.com either way.
14For project tools like Trello, a good portion of your userbase is company emails. A malicious actor now has a list of company emails that they can compare against public facing data like Linkedin, imitate a user using a gmail based off their name, sending an email to that company's IT team asking for an MFA reset sent to the newly created gmail account. Now imagine if that compromised user is a developer with admin access to production environments. These were the conditions for various ransomware attacks.
An email, username, real name are not much, but it's a foot in the door.
5
I agree that data security is important, even if it is only email addresses, where many are probably findable in the web anyway. Maybe, the link with the username has some value, but I’d bet only little. In my opinion, harsh penalties are more needed in privacy invasive (in my opinion malware) like google, meta, Amazon etc. are spreading.
12The problem is that this data can be combined with other data. An email address by itself isn't particularly important but when it's matched up with names, physical addresses, DoB, SSN, other PII and the network of other services with matching data it becomes very serious.
It's never just this breach, it's every other breach as well. Every breach makes every preceeding breach more effective and more valuable.
8
Literally never heard of Trello in my life until today...when my boss sent me a link to join their board...
51Do you work in any kind of corporate or business services sector? It feels so ubiquitous to me I'm surprised it's only 13 years old.
15I work for a small (but successful) company that is starting to get their shit together and actually build resources instead of saying "Well, just do what we did 3 years ago" to someone who has no idea what they're talking about
3
Wow that was fast, how many board members were removed?
12
My email has been leaked 20 times now, how lovely
48Buddy, you need this more than I do
33I exclusively use alias emails and have found the down side. If you use an alias email for each site you visit (let’s say an online shop that is ran by Shopify) there is an extremely high chance your purchase will be flagged (fuck you Shopify) as a fraudulent account. I am constantly being flagged on sites with Shopify back ends for fraud. It really sucks when your hoppy (FPV Drones) is mainly ran by Shopify sites.
P.S. There is no one to help resolve these issues with Shopify as they don’t have a customer support unless you’re a customer and the store owners are either dumb on how to help or just plain lazy.
11Temporary solution, but works for now.
3
"Breached" implies that sensitive data, like payment details, private communication, or physical addresses, were leaked. Instead, this is just semi-public stuff like email/username/name. Maybe a better title would be "15M Trello users have been identified (name/email)"
38Of course. But are you sure “identified” is correct word here? I chose “breached” because title of mail was “You're one of 15,111,945 people pwned in the Trello data breach”
26
Funny. Back in my l337 days public Trello boards were one of the easy ways to get passwords. People would put shared passwords for team accounts just on their board, in plain text
28Yeah even api and secret keys!
7
Hey OP, I'm doing some research. You mind sharing that link in the description of your screenshot?
2315M Trello accounts have been leaked
That title is very misleading. 15M Trello accounts were found to be compromised because of other, previous leaks, but no leak related to Trello occurred.
20Can you suggest one? I can modify.
4Maybe « 15M Trello accounts compromised from previous leaks »? I tried to keep it short but not so short that it would be misleading, dunno if the right balance is there.
1
Dumb question time
What is Trello?
16It's a kanban board that atlassian a popular company that makes apps for developers bought out.
Not sure if you used a kanban board before but basically you put items that need to be done in columns with typical headers (can be changed) of "to do, doing, blocked, done". So that one can keep track of work/goals etc.
22
No unauthorised access has occurred
13Nobody watches sever logs 😞
11Get something like splunk to do it. I'm wondering what the rules for this might look like, especially if this was e.g. distributed scraping.
3With a site that active, they really need something that can’t identify strange traffic patterns. Hell, maybe they do but no one cared to do anything. Maybe no one listens to IT… that never happens /s
2
I literally just closed my trello account in october 23, after having it open for 6 years. Looks like I made a good call
11Because you think they delete your data?
31
Wait til these people hear about phone books
10This should be a locally installed program with a licensing usb dongle or electronic license.
So much company secrets in there...
5Permanently Deleted
4Yeah mostly for spam but the dataset is massive. 15M emails + real names + usernames is pretty useful for any cold emailing like recruitment and product spam. That being said, using datasets like this legally is a no-no but it's almost impossible to prove either way.
1
Oh no not my email adress and username
3Hello spam, and also confirmation that your email address and username is valid and can be used to try to log in elsewhere.
0
I just got this email from Google while reading this. A funny coincidence.
3Where they sell these data? I want to check if my password is compromised..
2Haveibeenpwned.com lets you check if your accounts are compromised
7
Dang, the hackers know what I'm planning to do tomorrow.
1