Yes but this wasn’t a data breach. This was a data stuffing incident, meaning they took someone else’s data dump and tried their email and credentials here.
never use the same username and password in two or more places
always use MFA, a hard token if you can like a yubikey
all the root secrets are available in plain text the generator app at some point, they have to be. moving that to a single purpose device greatly reduces the risk of vulnerabilities in your phone leading to exfiltration via internet connection
mine works for my personal google account, work one is sso and doesn’t have it enabled. otherwise gh, aws, auh0 support it, I’m forgetting some others I use. beyond that you can generate 2fa codes too
I use yubikey everywhere it’s available for me. Initially, the first few websites in the early years were challenging. I think a lot of devs were still trying to figure out the workflow.
But today, it’s usually as simple, or simpler, than TOTP.
So it might be worth trying again. I’d use a YubiKey 4 or higher if you can. If you have an older one, you may want to upgrade to take advantage of the newer technology like NFC and Bluetooth if you’re into that.
I just wish YubiKey could store more than like 30 TOTP tokens.
Yes but this wasn’t a data breach. This was a data stuffing incident, meaning they took someone else’s data dump and tried their email and credentials here.
It’s a breach.
Attackers queried email addresses and trello responded with names and user names.
real names is definitely a breach
Oooh that’s pretty bad
Physical token over TOTP authenticator?
all the root secrets are available in plain text the generator app at some point, they have to be. moving that to a single purpose device greatly reduces the risk of vulnerabilities in your phone leading to exfiltration via internet connection
I cannot think of a use-case outside of statecraft. Maybe companies engaged, or being engaged, in corporate espionage.
Do you own a Yubikey?
Have you ever succeeded in getting it to work with anything??
It didn’t work with gmail, or any other online account I had.
An absolute waste of $$.
mine works for my personal google account, work one is sso and doesn’t have it enabled. otherwise gh, aws, auh0 support it, I’m forgetting some others I use. beyond that you can generate 2fa codes too
Setting up: https://www.yubico.com/setup/yubikey-5-series/
Supported services: https://www.yubico.com/works-with-yubikey/catalog/
Google Accounts (for your gmail): https://www.yubico.com/works-with-yubikey/catalog/google-accounts/
I use yubikey everywhere it’s available for me. Initially, the first few websites in the early years were challenging. I think a lot of devs were still trying to figure out the workflow.
But today, it’s usually as simple, or simpler, than TOTP.
So it might be worth trying again. I’d use a YubiKey 4 or higher if you can. If you have an older one, you may want to upgrade to take advantage of the newer technology like NFC and Bluetooth if you’re into that.
I just wish YubiKey could store more than like 30 TOTP tokens.
I use mine with AWS.