Technology

61081 readers

4689 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related content.
Be excellent to each other!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, to ask if your bot can be added please contact us.
Check for duplicates before posting, duplicates may be removed
Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago

MODERATORS

603

15M Trello accounts have been leaked (lemy.lol)

submitted 1 year ago* (last edited 1 year ago) by [email protected] to c/technology

102 comments fedilink hide all child comments

I just got the email from haveibeenpwned. F Trello.

you are viewing a single comment's thread
view the rest of the comments

[–] CosmicTurtle 26 points 1 year ago (3 children)

Yes but this wasn't a data breach. This was a data stuffing incident, meaning they took someone else's data dump and tried their email and credentials here.

never use the same username and password in two or more places
always use MFA, a hard token if you can like a yubikey

[–] [email protected] 10 points 1 year ago (2 children)

It's a breach.

Attackers queried email addresses and trello responded with names and user names.

[–] drmoose 6 points 1 year ago

real names is definitely a breach

[–] scarilog 4 points 1 year ago

Oooh that's pretty bad

[–] JustUseMint 1 points 1 year ago (2 children)

Physical token over TOTP authenticator?

[–] [email protected] 2 points 1 year ago

all the root secrets are available in plain text the generator app at some point, they have to be. moving that to a single purpose device greatly reduces the risk of vulnerabilities in your phone leading to exfiltration via internet connection

[–] [email protected] 1 points 1 year ago

I cannot think of a use-case outside of statecraft. Maybe companies engaged, or being engaged, in corporate espionage.

[+] Paragone -8 points 1 year ago (5 children)

Do you own a Yubikey?

Have you ever succeeded in getting it to work with anything??

It didn't work with gmail, or any other online account I had.

An absolute waste of $$.

[–] [email protected] 8 points 1 year ago

mine works for my personal google account, work one is sso and doesn't have it enabled. otherwise gh, aws, auh0 support it, I'm forgetting some others I use. beyond that you can generate 2fa codes too

[–] [email protected] 2 points 1 year ago

Setting up: https://www.yubico.com/setup/yubikey-5-series/

Supported services: https://www.yubico.com/works-with-yubikey/catalog/

Google Accounts (for your gmail): https://www.yubico.com/works-with-yubikey/catalog/google-accounts/

[–] CosmicTurtle 2 points 1 year ago

I use yubikey everywhere it's available for me. Initially, the first few websites in the early years were challenging. I think a lot of devs were still trying to figure out the workflow.

But today, it's usually as simple, or simpler, than TOTP.

So it might be worth trying again. I'd use a YubiKey 4 or higher if you can. If you have an older one, you may want to upgrade to take advantage of the newer technology like NFC and Bluetooth if you're into that.

I just wish YubiKey could store more than like 30 TOTP tokens.

[–] [email protected] 1 points 1 year ago

Sounds like a skill issue.

Have had yubikey for a few years. It was a pain to set it up initially, but it took me less than an hour if I remember correctly. Since then the only issue I have is that sometimes I accidentally bump into it and it pastes an OTK to a random place.

[–] Subverb 1 points 1 year ago

I use mine with AWS.