this post was submitted on 22 Jan 2024
575 points (97.8% liked)

Technology

57472 readers
4632 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
575
15M Trello accounts have been leaked (lemy.lol)
submitted 7 months ago* (last edited 7 months ago) by [email protected] to c/[email protected]
97 comments fedilink hide all child comments
 

I just got the email from haveibeenpwned. F Trello.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 15 points 7 months ago* (last edited 7 months ago) (1 children)

tbf it's just email, username and real name so it's basically nothing when half of users are [email protected] either way.

[–] [email protected] 5 points 7 months ago (1 children)

For project tools like Trello, a good portion of your userbase is company emails. A malicious actor now has a list of company emails that they can compare against public facing data like Linkedin, imitate a user using a gmail based off their name, sending an email to that company's IT team asking for an MFA reset sent to the newly created gmail account. Now imagine if that compromised user is a developer with admin access to production environments. These were the conditions for various ransomware attacks.

An email, username, real name are not much, but it's a foot in the door.

[–] [email protected] 2 points 7 months ago* (last edited 7 months ago) (1 children)

It is a foot in the door but honestly there are way too many doors out there so it's really hard to measure the real damage of this.

I worked at a pretty major employment company like 20 years ago when basically everything was legal and we didn't need to buy dark web datasets to find real names and contacts ever - most of that data is publicly available and can be captured with simple public scrapers and email checks.

I think expectation of names and emails being private should be thrown out of the window entirely and every security system should implicitly assume these details are publicly known.

[–] [email protected] 1 points 7 months ago

So the conditions I mentioned were directly from a series of ransomware attacks from the group BlackCat including the high profile ransomware incident targeting MGM Casinos last year. My team recently used the same premise during an incident response drill based on that event.