Oh noooo, 1% of their yearly gross revenue or 1.3% of their yearly gross profit. What a fine!
Side note: I would love to discover a public record of them paying these fines… we hear they ate fined, but never that they had to pay them. What is stopping them from cutting a deal of a payment plan over 20 years with 0% interest or full up front but only paying 30% of it or some lobbying BS.
We can infer that for sure this fine is coming out pre-tax.
Yes but this wasn’t a data breach. This was a data stuffing incident, meaning they took someone else’s data dump and tried their email and credentials here.
never use the same username and password in two or more places
always use MFA, a hard token if you can like a yubikey
mine works for my personal google account, work one is sso and doesn’t have it enabled. otherwise gh, aws, auh0 support it, I’m forgetting some others I use. beyond that you can generate 2fa codes too
I use yubikey everywhere it’s available for me. Initially, the first few websites in the early years were challenging. I think a lot of devs were still trying to figure out the workflow.
But today, it’s usually as simple, or simpler, than TOTP.
So it might be worth trying again. I’d use a YubiKey 4 or higher if you can. If you have an older one, you may want to upgrade to take advantage of the newer technology like NFC and Bluetooth if you’re into that.
I just wish YubiKey could store more than like 30 TOTP tokens.
Have had yubikey for a few years. It was a pain to set it up initially, but it took me less than an hour if I remember correctly. Since then the only issue I have is that sometimes I accidentally bump into it and it pastes an OTK to a random place.
For project tools like Trello, a good portion of your userbase is company emails. A malicious actor now has a list of company emails that they can compare against public facing data like Linkedin, imitate a user using a gmail based off their name, sending an email to that company’s IT team asking for an MFA reset sent to the newly created gmail account. Now imagine if that compromised user is a developer with admin access to production environments. These were the conditions for various ransomware attacks.
An email, username, real name are not much, but it’s a foot in the door.
It is a foot in the door but honestly there are way too many doors out there so it’s really hard to measure the real damage of this.
I worked at a pretty major employment company like 20 years ago when basically everything was legal and we didn’t need to buy dark web datasets to find real names and contacts ever - most of that data is publicly available and can be captured with simple public scrapers and email checks.
I think expectation of names and emails being private should be thrown out of the window entirely and every security system should implicitly assume these details are publicly known.
So the conditions I mentioned were directly from a series of ransomware attacks from the group BlackCat including the high profile ransomware incident targeting MGM Casinos last year. My team recently used the same premise during an incident response drill based on that event.
I agree that data security is important, even if it is only email addresses, where many are probably findable in the web anyway. Maybe, the link with the username has some value, but I’d bet only little.
In my opinion, harsh penalties are more needed in privacy invasive (in my opinion malware) like google, meta, Amazon etc. are spreading.
The problem is that this data can be combined with other data. An email address by itself isn’t particularly important but when it’s matched up with names, physical addresses, DoB, SSN, other PII and the network of other services with matching data it becomes very serious.
It’s never just this breach, it’s every other breach as well. Every breach makes every preceeding breach more effective and more valuable.
Obligatory: companies should face harsh penalties for this stuff.
They do, in the EU. If you fuck up your customer’s data, you’ll face fines consisting of hefty percentages of your yearly revenue!
https://www.enforcementtracker.com/
Yep, hefty. Top 5: 1.2B meta, 746M amazon, 405M meta, 390M meta, 345M tiktok (all in €).
Oh noooo, 1% of their yearly gross revenue or 1.3% of their yearly gross profit. What a fine!
Side note: I would love to discover a public record of them paying these fines… we hear they ate fined, but never that they had to pay them. What is stopping them from cutting a deal of a payment plan over 20 years with 0% interest or full up front but only paying 30% of it or some lobbying BS.
We can infer that for sure this fine is coming out pre-tax.
Yes but this wasn’t a data breach. This was a data stuffing incident, meaning they took someone else’s data dump and tried their email and credentials here.
It’s a breach.
Attackers queried email addresses and trello responded with names and user names.
real names is definitely a breach
Oooh that’s pretty bad
Do you own a Yubikey?
Have you ever succeeded in getting it to work with anything??
It didn’t work with gmail, or any other online account I had.
An absolute waste of $$.
mine works for my personal google account, work one is sso and doesn’t have it enabled. otherwise gh, aws, auh0 support it, I’m forgetting some others I use. beyond that you can generate 2fa codes too
Setting up: https://www.yubico.com/setup/yubikey-5-series/
Supported services: https://www.yubico.com/works-with-yubikey/catalog/
Google Accounts (for your gmail): https://www.yubico.com/works-with-yubikey/catalog/google-accounts/
I use yubikey everywhere it’s available for me. Initially, the first few websites in the early years were challenging. I think a lot of devs were still trying to figure out the workflow.
But today, it’s usually as simple, or simpler, than TOTP.
So it might be worth trying again. I’d use a YubiKey 4 or higher if you can. If you have an older one, you may want to upgrade to take advantage of the newer technology like NFC and Bluetooth if you’re into that.
I just wish YubiKey could store more than like 30 TOTP tokens.
Sounds like a skill issue.
Have had yubikey for a few years. It was a pain to set it up initially, but it took me less than an hour if I remember correctly. Since then the only issue I have is that sometimes I accidentally bump into it and it pastes an OTK to a random place.
I use mine with AWS.
tbf it’s just email, username and real name so it’s basically nothing when half of users are name.lastname@gmail.com either way.
For project tools like Trello, a good portion of your userbase is company emails. A malicious actor now has a list of company emails that they can compare against public facing data like Linkedin, imitate a user using a gmail based off their name, sending an email to that company’s IT team asking for an MFA reset sent to the newly created gmail account. Now imagine if that compromised user is a developer with admin access to production environments. These were the conditions for various ransomware attacks.
An email, username, real name are not much, but it’s a foot in the door.
It is a foot in the door but honestly there are way too many doors out there so it’s really hard to measure the real damage of this.
I worked at a pretty major employment company like 20 years ago when basically everything was legal and we didn’t need to buy dark web datasets to find real names and contacts ever - most of that data is publicly available and can be captured with simple public scrapers and email checks.
I think expectation of names and emails being private should be thrown out of the window entirely and every security system should implicitly assume these details are publicly known.
So the conditions I mentioned were directly from a series of ransomware attacks from the group BlackCat including the high profile ransomware incident targeting MGM Casinos last year. My team recently used the same premise during an incident response drill based on that event.
I agree that data security is important, even if it is only email addresses, where many are probably findable in the web anyway. Maybe, the link with the username has some value, but I’d bet only little. In my opinion, harsh penalties are more needed in privacy invasive (in my opinion malware) like google, meta, Amazon etc. are spreading.
The problem is that this data can be combined with other data. An email address by itself isn’t particularly important but when it’s matched up with names, physical addresses, DoB, SSN, other PII and the network of other services with matching data it becomes very serious.
It’s never just this breach, it’s every other breach as well. Every breach makes every preceeding breach more effective and more valuable.
Except this contains none of that
Other breaches do.
If two breaches have an overlap, e.g. they both contain email address, then they can be joined into a more complete set.
Yeah, I don’t think there is much that would be gleamed by combining with this dataset
Of course, but where are names, physical addresses, DoB, SSN, etc in this dataset? It’s just mail and username
Other breaches do.
If two breaches have an overlap, e.g. they both contain email address, then they can be joined into a more complete set.