602
15M Trello accounts have been leaked
(lemy.lol)
This is a most excellent place for technology news and articles.
Obligatory: companies should face harsh penalties for this stuff.
This is not something a company did.
The group of people took a list of user names and passwords from a different breach and tried them on trello to see if people used the same password and wrote down which ones did.
Nothing a company can possibly do to stop this, only users can.
Even if the company required 2 factor authentication to fully log in, getting this far would still confirm each account/password combo was correct, which is all the "hackers" did.
This isn't completely true, but it is the current standard.
A website can detect and block many user/password attempts from the same IP and block IPs that are suspicious.
Websites can detect elivated login fails across many IPs are react accordingly (It may be reasonable to block all logins for a time if they detect an attack like this)
I'm sure there are other strategies, I don't know how often they are actually employed, but I wish companies would start taking this sort of attack more seriously (even if it's not at all hacking)
That would be a P1 incident and probably violate SLAs depending on the duration.
Inserting a literally meaningless delay like 5 seconds is sufficient to make your service virtually impenetrable to mass bruteforce/stuffing attacks. Credential stuffing become untenable when your trying to stuff 1million creds with a 5 second cooldown. Most normal users who would hit it would just think their wifi or cell service hicupped.