this post was submitted on 22 Jan 2024
602 points (97.8% liked)

Technology

59133 readers
2308 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

I just got the email from haveibeenpwned. F Trello.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 165 points 9 months ago (5 children)

Obligatory: companies should face harsh penalties for this stuff.

[–] [email protected] 50 points 9 months ago (1 children)

They do, in the EU. If you fuck up your customer's data, you'll face fines consisting of hefty percentages of your yearly revenue!

[–] [email protected] 19 points 9 months ago (1 children)

https://www.enforcementtracker.com/

Yep, hefty. Top 5: 1.2B meta, 746M amazon, 405M meta, 390M meta, 345M tiktok (all in €).

[–] [email protected] 4 points 9 months ago* (last edited 9 months ago)

Oh noooo, 1% of their yearly gross revenue or 1.3% of their yearly gross profit. What a fine!

Side note: I would love to discover a public record of them paying these fines... we hear they ate fined, but never that they had to pay them. What is stopping them from cutting a deal of a payment plan over 20 years with 0% interest or full up front but only paying 30% of it or some lobbying BS.

We can infer that for sure this fine is coming out pre-tax.

[–] [email protected] 38 points 9 months ago* (last edited 9 months ago) (3 children)

This is not something a company did.

The group of people took a list of user names and passwords from a different breach and tried them on trello to see if people used the same password and wrote down which ones did.

Nothing a company can possibly do to stop this, only users can.

Even if the company required 2 factor authentication to fully log in, getting this far would still confirm each account/password combo was correct, which is all the "hackers" did.

[–] [email protected] 45 points 9 months ago

That's not what happened.

Attackers queried n email addresses against trello, who responded with names and user names for accounts that existed.

No one asked trello to publish their names, so that's a breach.

[–] [email protected] 21 points 9 months ago (2 children)

This isn't completely true, but it is the current standard.

A website can detect and block many user/password attempts from the same IP and block IPs that are suspicious.

Websites can detect elivated login fails across many IPs are react accordingly (It may be reasonable to block all logins for a time if they detect an attack like this)

I'm sure there are other strategies, I don't know how often they are actually employed, but I wish companies would start taking this sort of attack more seriously (even if it's not at all hacking)

[–] [email protected] 10 points 9 months ago (2 children)

CGNAT would throw a wrench in that when you have thousands of users using mobile data and they appear to be coming from the same ip.

[–] [email protected] 4 points 9 months ago* (last edited 9 months ago)

Nooooo, people keep telling me IPv6 will be insecure because of no longer having NAT.

Mostly people who don't know what a subnet is, but people.

[–] [email protected] 4 points 9 months ago

You look for trends, not raw numbers. If an ip increase 500%in 10 minutes... throttle it a bit... insert wait times. If it's trust worthy then allow new value to become normal... otherwise keep the ip throttled.

[–] [email protected] 4 points 9 months ago* (last edited 9 months ago) (1 children)

It may be reasonable to block all logins for a time if they detect an attack like this

That would be a P1 incident and probably violate SLAs depending on the duration.

[–] [email protected] 7 points 9 months ago

Inserting a literally meaningless delay like 5 seconds is sufficient to make your service virtually impenetrable to mass bruteforce/stuffing attacks. Credential stuffing become untenable when your trying to stuff 1million creds with a 5 second cooldown. Most normal users who would hit it would just think their wifi or cell service hicupped.

[–] [email protected] -2 points 9 months ago

I mean, passkeys are a thing.

[–] [email protected] 26 points 9 months ago (3 children)

Yes but this wasn't a data breach. This was a data stuffing incident, meaning they took someone else's data dump and tried their email and credentials here.

  • never use the same username and password in two or more places
  • always use MFA, a hard token if you can like a yubikey
[–] [email protected] 10 points 9 months ago (2 children)

It's a breach.

Attackers queried email addresses and trello responded with names and user names.

[–] [email protected] 6 points 9 months ago

real names is definitely a breach

[–] [email protected] 4 points 9 months ago

Oooh that's pretty bad

[–] [email protected] 1 points 9 months ago (2 children)

Physical token over TOTP authenticator?

[–] [email protected] 2 points 9 months ago

all the root secrets are available in plain text the generator app at some point, they have to be. moving that to a single purpose device greatly reduces the risk of vulnerabilities in your phone leading to exfiltration via internet connection

[–] [email protected] 1 points 9 months ago

I cannot think of a use-case outside of statecraft. Maybe companies engaged, or being engaged, in corporate espionage.

[–] [email protected] 14 points 9 months ago* (last edited 9 months ago) (1 children)

tbf it's just email, username and real name so it's basically nothing when half of users are [email protected] either way.

[–] [email protected] 5 points 9 months ago (1 children)

For project tools like Trello, a good portion of your userbase is company emails. A malicious actor now has a list of company emails that they can compare against public facing data like Linkedin, imitate a user using a gmail based off their name, sending an email to that company's IT team asking for an MFA reset sent to the newly created gmail account. Now imagine if that compromised user is a developer with admin access to production environments. These were the conditions for various ransomware attacks.

An email, username, real name are not much, but it's a foot in the door.

[–] [email protected] 2 points 9 months ago* (last edited 9 months ago) (1 children)

It is a foot in the door but honestly there are way too many doors out there so it's really hard to measure the real damage of this.

I worked at a pretty major employment company like 20 years ago when basically everything was legal and we didn't need to buy dark web datasets to find real names and contacts ever - most of that data is publicly available and can be captured with simple public scrapers and email checks.

I think expectation of names and emails being private should be thrown out of the window entirely and every security system should implicitly assume these details are publicly known.

[–] [email protected] 1 points 9 months ago

So the conditions I mentioned were directly from a series of ransomware attacks from the group BlackCat including the high profile ransomware incident targeting MGM Casinos last year. My team recently used the same premise during an incident response drill based on that event.

[–] [email protected] 12 points 9 months ago (1 children)

I agree that data security is important, even if it is only email addresses, where many are probably findable in the web anyway. Maybe, the link with the username has some value, but I’d bet only little. In my opinion, harsh penalties are more needed in privacy invasive (in my opinion malware) like google, meta, Amazon etc. are spreading.

[–] [email protected] 9 points 9 months ago (2 children)

The problem is that this data can be combined with other data. An email address by itself isn't particularly important but when it's matched up with names, physical addresses, DoB, SSN, other PII and the network of other services with matching data it becomes very serious.

It's never just this breach, it's every other breach as well. Every breach makes every preceeding breach more effective and more valuable.

[–] [email protected] 1 points 9 months ago (1 children)

Except this contains none of that

[–] [email protected] 1 points 9 months ago (1 children)

Other breaches do.

If two breaches have an overlap, e.g. they both contain email address, then they can be joined into a more complete set.

[–] [email protected] 0 points 9 months ago

Yeah, I don't think there is much that would be gleamed by combining with this dataset

[–] [email protected] 0 points 9 months ago (1 children)

Of course, but where are names, physical addresses, DoB, SSN, etc in this dataset? It’s just mail and username

[–] [email protected] 1 points 9 months ago

Other breaches do.

If two breaches have an overlap, e.g. they both contain email address, then they can be joined into a more complete set.