this post was submitted on 22 Jan 2024
599 points (97.6% liked)

Technology

58303 readers
7 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

I just got the email from haveibeenpwned. F Trello.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 38 points 10 months ago* (last edited 10 months ago) (3 children)

This is not something a company did.

The group of people took a list of user names and passwords from a different breach and tried them on trello to see if people used the same password and wrote down which ones did.

Nothing a company can possibly do to stop this, only users can.

Even if the company required 2 factor authentication to fully log in, getting this far would still confirm each account/password combo was correct, which is all the "hackers" did.

[–] [email protected] 45 points 10 months ago

That's not what happened.

Attackers queried n email addresses against trello, who responded with names and user names for accounts that existed.

No one asked trello to publish their names, so that's a breach.

[–] [email protected] 21 points 10 months ago (2 children)

This isn't completely true, but it is the current standard.

A website can detect and block many user/password attempts from the same IP and block IPs that are suspicious.

Websites can detect elivated login fails across many IPs are react accordingly (It may be reasonable to block all logins for a time if they detect an attack like this)

I'm sure there are other strategies, I don't know how often they are actually employed, but I wish companies would start taking this sort of attack more seriously (even if it's not at all hacking)

[–] [email protected] 10 points 10 months ago (2 children)

CGNAT would throw a wrench in that when you have thousands of users using mobile data and they appear to be coming from the same ip.

[–] [email protected] 4 points 10 months ago* (last edited 10 months ago)

Nooooo, people keep telling me IPv6 will be insecure because of no longer having NAT.

Mostly people who don't know what a subnet is, but people.

[–] [email protected] 4 points 10 months ago

You look for trends, not raw numbers. If an ip increase 500%in 10 minutes... throttle it a bit... insert wait times. If it's trust worthy then allow new value to become normal... otherwise keep the ip throttled.

[–] [email protected] 4 points 10 months ago* (last edited 10 months ago) (1 children)

It may be reasonable to block all logins for a time if they detect an attack like this

That would be a P1 incident and probably violate SLAs depending on the duration.

[–] [email protected] 7 points 10 months ago

Inserting a literally meaningless delay like 5 seconds is sufficient to make your service virtually impenetrable to mass bruteforce/stuffing attacks. Credential stuffing become untenable when your trying to stuff 1million creds with a 5 second cooldown. Most normal users who would hit it would just think their wifi or cell service hicupped.

[–] [email protected] -2 points 10 months ago

I mean, passkeys are a thing.