15M Trello accounts have been leaked

https://www.enforcementtracker.com/

Yep, hefty. Top 5: 1.2B meta, 746M amazon, 405M meta, 390M meta, 345M tiktok (all in €).

That's not what happened.

Attackers queried n email addresses against trello, who responded with names and user names for accounts that existed.

No one asked trello to publish their names, so that's a breach.

This isn't completely true, but it is the current standard.

A website can detect and block many user/password attempts from the same IP and block IPs that are suspicious.

Websites can detect elivated login fails across many IPs are react accordingly (It may be reasonable to block all logins for a time if they detect an attack like this)

I'm sure there are other strategies, I don't know how often they are actually employed, but I wish companies would start taking this sort of attack more seriously (even if it's not at all hacking)

I mean, passkeys are a thing.

It's a breach.

Attackers queried email addresses and trello responded with names and user names.

Physical token over TOTP authenticator?

Do you own a Yubikey?

Have you ever succeeded in getting it to work with anything??

It didn't work with gmail, or any other online account I had.

An absolute waste of $$.

For project tools like Trello, a good portion of your userbase is company emails. A malicious actor now has a list of company emails that they can compare against public facing data like Linkedin, imitate a user using a gmail based off their name, sending an email to that company's IT team asking for an MFA reset sent to the newly created gmail account. Now imagine if that compromised user is a developer with admin access to production environments. These were the conditions for various ransomware attacks.

An email, username, real name are not much, but it's a foot in the door.

The problem is that this data can be combined with other data. An email address by itself isn't particularly important but when it's matched up with names, physical addresses, DoB, SSN, other PII and the network of other services with matching data it becomes very serious.

It's never just this breach, it's every other breach as well. Every breach makes every preceeding breach more effective and more valuable.

I work for a small (but successful) company that is starting to get their shit together and actually build resources instead of saying "Well, just do what we did 3 years ago" to someone who has no idea what they're talking about

Things like this only work until platforms block the domains due to abuse.

I exclusively use alias emails and have found the down side. If you use an alias email for each site you visit (let’s say an online shop that is ran by Shopify) there is an extremely high chance your purchase will be flagged (fuck you Shopify) as a fraudulent account. I am constantly being flagged on sites with Shopify back ends for fraud. It really sucks when your hoppy (FPV Drones) is mainly ran by Shopify sites.

P.S. There is no one to help resolve these issues with Shopify as they don’t have a customer support unless you’re a customer and the store owners are either dumb on how to help or just plain lazy.

Temporary solution, but works for now.

I've started using similar services recently but it was a bit too late haha

I think it's reasonable that you chose that title based on the email header, and I also think it's very irresponsible of haveibeenpwned to send out an email with that subject line. They absolutely should know better.

But it's not really leaked either

Maybe « 15M Trello accounts compromised from previous leaks »? I tried to keep it short but not so short that it would be misleading, dunno if the right balance is there.

Is atlassian really that bad?

I definitely have not used a kanban board. It seems I am far less involved in the technical world than most Lemmy users

With a site that active, they really need something that can’t identify strange traffic patterns. Hell, maybe they do but no one cared to do anything. Maybe no one listens to IT… that never happens /s