I just got the email from haveibeenpwned. F Trello.

    • ChrislyBear@lemmy.world
      link
      fedilink
      English
      arrow-up
      46
      ·
      11 months ago

      They do, in the EU. If you fuck up your customer’s data, you’ll face fines consisting of hefty percentages of your yearly revenue!

        • JustEnoughDucks@feddit.nl
          link
          fedilink
          English
          arrow-up
          3
          ·
          edit-2
          11 months ago

          Oh noooo, 1% of their yearly gross revenue or 1.3% of their yearly gross profit. What a fine!

          Side note: I would love to discover a public record of them paying these fines… we hear they ate fined, but never that they had to pay them. What is stopping them from cutting a deal of a payment plan over 20 years with 0% interest or full up front but only paying 30% of it or some lobbying BS.

          We can infer that for sure this fine is coming out pre-tax.

    • Tarquinn2049@lemmy.world
      link
      fedilink
      English
      arrow-up
      50
      arrow-down
      17
      ·
      edit-2
      11 months ago

      This is not something a company did.

      The group of people took a list of user names and passwords from a different breach and tried them on trello to see if people used the same password and wrote down which ones did.

      Nothing a company can possibly do to stop this, only users can.

      Even if the company required 2 factor authentication to fully log in, getting this far would still confirm each account/password combo was correct, which is all the “hackers” did.

      • fine_sandy_bottom@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        45
        ·
        11 months ago

        That’s not what happened.

        Attackers queried n email addresses against trello, who responded with names and user names for accounts that existed.

        No one asked trello to publish their names, so that’s a breach.

      • joshhsoj1902@lemmy.ca
        link
        fedilink
        English
        arrow-up
        23
        arrow-down
        2
        ·
        11 months ago

        This isn’t completely true, but it is the current standard.

        A website can detect and block many user/password attempts from the same IP and block IPs that are suspicious.

        Websites can detect elivated login fails across many IPs are react accordingly (It may be reasonable to block all logins for a time if they detect an attack like this)

        I’m sure there are other strategies, I don’t know how often they are actually employed, but I wish companies would start taking this sort of attack more seriously (even if it’s not at all hacking)

        • glitch1985@lemmy.world
          link
          fedilink
          English
          arrow-up
          11
          arrow-down
          1
          ·
          11 months ago

          CGNAT would throw a wrench in that when you have thousands of users using mobile data and they appear to be coming from the same ip.

          • frezik@midwest.social
            link
            fedilink
            English
            arrow-up
            4
            ·
            edit-2
            11 months ago

            Nooooo, people keep telling me IPv6 will be insecure because of no longer having NAT.

            Mostly people who don’t know what a subnet is, but people.

          • Saik0@lemmy.saik0.com
            link
            fedilink
            English
            arrow-up
            3
            ·
            11 months ago

            You look for trends, not raw numbers. If an ip increase 500%in 10 minutes… throttle it a bit… insert wait times. If it’s trust worthy then allow new value to become normal… otherwise keep the ip throttled.

        • sfgifz@lemmy.world
          link
          fedilink
          English
          arrow-up
          6
          arrow-down
          2
          ·
          edit-2
          11 months ago

          It may be reasonable to block all logins for a time if they detect an attack like this

          That would be a P1 incident and probably violate SLAs depending on the duration.

          • Saik0@lemmy.saik0.com
            link
            fedilink
            English
            arrow-up
            7
            arrow-down
            1
            ·
            11 months ago

            Inserting a literally meaningless delay like 5 seconds is sufficient to make your service virtually impenetrable to mass bruteforce/stuffing attacks. Credential stuffing become untenable when your trying to stuff 1million creds with a 5 second cooldown. Most normal users who would hit it would just think their wifi or cell service hicupped.

    • Petter1@lemm.ee
      link
      fedilink
      English
      arrow-up
      12
      arrow-down
      3
      ·
      11 months ago

      I agree that data security is important, even if it is only email addresses, where many are probably findable in the web anyway. Maybe, the link with the username has some value, but I’d bet only little. In my opinion, harsh penalties are more needed in privacy invasive (in my opinion malware) like google, meta, Amazon etc. are spreading.

      • deadbeef79000@lemmy.nz
        link
        fedilink
        English
        arrow-up
        9
        ·
        11 months ago

        The problem is that this data can be combined with other data. An email address by itself isn’t particularly important but when it’s matched up with names, physical addresses, DoB, SSN, other PII and the network of other services with matching data it becomes very serious.

        It’s never just this breach, it’s every other breach as well. Every breach makes every preceeding breach more effective and more valuable.

          • deadbeef79000@lemmy.nz
            link
            fedilink
            English
            arrow-up
            1
            ·
            11 months ago

            Other breaches do.

            If two breaches have an overlap, e.g. they both contain email address, then they can be joined into a more complete set.

            • aidan@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              arrow-down
              1
              ·
              11 months ago

              Yeah, I don’t think there is much that would be gleamed by combining with this dataset

        • Petter1@lemm.ee
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          1
          ·
          11 months ago

          Of course, but where are names, physical addresses, DoB, SSN, etc in this dataset? It’s just mail and username

          • deadbeef79000@lemmy.nz
            link
            fedilink
            English
            arrow-up
            1
            ·
            11 months ago

            Other breaches do.

            If two breaches have an overlap, e.g. they both contain email address, then they can be joined into a more complete set.

    • CosmicTurtle@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      11 months ago

      Yes but this wasn’t a data breach. This was a data stuffing incident, meaning they took someone else’s data dump and tried their email and credentials here.

      • never use the same username and password in two or more places
      • always use MFA, a hard token if you can like a yubikey
      • Paragone@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        arrow-down
        1
        ·
        11 months ago

        Do you own a Yubikey?

        Have you ever succeeded in getting it to work with anything??

        It didn’t work with gmail, or any other online account I had.

        An absolute waste of $$.