back to article Trello! It is me... you locked the door? User warns of single sign-on risk after barring self from own account

An issue where Trello user Shashank Tomar was locked out of his personal account because of a secondary email belonging to a company he left five years ago has drawn criticism from users. The story goes like this. Tomar created his personal Trello account "long before Trello was acquired by Atlassian", as he told the Atlassian …

  1. alain williams Silver badge

    Never trust a data store that you can't touch

    always keep a local backup. Yes: it is more work and management but anything that you do not possess can be taken away by whoever does own it.

    It is not just unexpected policy changes, like with this story, but also a technical issue. Your data is worth much more to you than the company that has it, so they will not put much effort in to recovering it after some error.

    Another issue: who can read your data when it is in someone else's cloud ?

    1. Headley_Grange Silver badge

      Re: Never trust a data store that you can't touch

      True Dat (I'm watching the Wire box set at the mo'). I even dump my Mac notes out into plain text every so often, just in case

      1. Flywheel Silver badge
        Thumb Up

        Re: Never trust a data store that you can't touch

        Yup! And while you're at it, if you have social media accounts, try and take a regular data dump of those as well. Twitter allows this and can be potentially be very useful if someone later claims you libeled/slandered them.

    2. Mike 137 Silver badge

      Re: Never trust a data store that you can't touch

      and never mix business with pleasure. Using your bosses systems for private things inevitably leads to confusion about ownership of data.

  2. Wellyboot Silver badge

    comparison

    You hand your money to a bank - These have independant global and national oversight bodies with power to enforce a large set of laws, regulations and punitive penalties. - you can be fairly certain your money is safe.

    You hand your data to a cloud company - These have ever changing T&Cs, more money than you & almost nothing to lose if anything goes bad - what's their incentive to give a flying one?

    Decide how much of a PIA losing your data will be, then keep an up to date local backup.

    1. The Man Who Fell To Earth Silver badge
      WTF?

      Re: comparison

      "For people that use Trello for personal organization, we recommend creating a separate account that’s only associated with a personal (non-work) email address."

      I have no sympathy for Shashank Tomar. The bank analogy isn't bad. Just as you would not run the money for your employer through your personal bank accounts (unless you are a moron or an embezzler), you should not mix your work product for an employer with your personal (hobby) work.

      1. Irongut Silver badge

        Re: comparison

        Yup its all the idiot's own fault. He shouldn't have used a personal account for work, he shouldn't have added a work email to a personal account and he definitely should have removed a 5 year old work email that he no longer had access to from his account. He is stupid and lazy and now he pays the price.

        Don't be stupid and lazy folks, once upon a time it would have gotten you eaten.

      2. MachDiamond Silver badge

        Re: comparison

        "you should not mix your work product for an employer with your personal (hobby) work."

        It might not be hobby work. If you are working on something outside of your employer, if there is a hint that you used any of your employer's resources, they could have a claim on your product/invention.

    2. Robert D Bank

      Re: comparison

      or just don't go there in the first place?

    3. MachDiamond Silver badge

      Re: comparison

      "You hand your money to a bank - These have independant global and national oversight bodies with power to enforce a large set of laws, regulations and punitive penalties. - you can be fairly certain your money is safe."

      Wellllllll. That might not be a good analogy. The money you have in a bank is not under your control and subject to whoever can grab it, legally or illegally. Have some tax issues, the government can empty your account without notice. Making a purchase of property and somebody pulls a MIM attack between you and the solicitor, money gone. If you went to the solicitor's office and handed them the payment physically rather than electronically, you have some assurance that it got to the right place. Get a receipt, obviously.

      Storing data securely is mostly getting into the habit of doing it. Just make backing up part of your routine. I have stuff on multiple drives onsite and off. My offsite backup is the top shelf of a family member's guest room closet. The drives are boxed up with a return label applied and a note identifying what drives are in the box. I can just ring up and have the box posted back to me if I need it. They are a several hour drive away so far enough that a natural disaster is unlikely to affect us both, but close enough that I could make it there and back in one day. If I was even more clever, I'd have the drives set up so they could be plugged in to the family member's computer so they could be made available online via a VPN, but I'm not that clever.

  3. Gene Cash Silver badge

    Personal IP rights?

    He could sue (or threaten to sue) because the old company has no right to his personal IP.

    If the tables were turned and Atlassian gave him access to ACME's code, you bet yer pants ACME would sue.

    Still, not keeping local backups is 100% his fault.

    1. Stuart 22

      Re: Personal IP rights?

      "He could sue (or threaten to sue) because the old company has no right to his personal IP."

      Dunno what jurisdiction(s) would apply but I'd bet a big load tht it would cost a big load and, if succesful, he might get his data back or destroyed and it would take another big load to get costs. Not something worth betting on for the average person.

      1. Peter2 Silver badge

        Re: Personal IP rights?

        I personally wouldn't threaten to sue. I'd just ask them to justify the lawful basis of what appears to be a severe GDPR breach or remedy it within a reasonable period (say 24 hours) or face a GDPR complaint to the government body that deals with said complaints.

        Zero cost to you, fines of up to 2% of global turnover or about 10 million, whichever is the higher to the company that's screwed up.

    2. Pascal Monett Silver badge

      Re: the old company has no right to his personal IP

      Says who ? The secondary address belongs to the old company. There is strong incentive to believe that that is sufficient to prove ownership.

      I have trouble feeling sorry for the guy. He gave in to convenience, didn't care about following up when he left the company, and is now complaining that his own complacency is putting him in trouble.

      If you think a tool can be used in your company, then you register it in your company identity and use it solely for company stuff. This nitwit mixed personal and private and, more importantly, didn't bother to separate the two when he left. Now he's surprised that there are consequences.

      Well, you have to learn one day or another.

      1. Joe W Silver badge

        Re: the old company has no right to his personal IP

        Yes. Secondary address. There was data tied explicitly to the former employer (via that secondary email address), and that data got removed when he quit. The account was primarily tied to the "main" address, which was used for login etc. Thus I do not think that it is as clear cut as you make it - but then probably neither of us is a lawyer. What if there was another secondary address, tied to yet another company? What would happen then? Why should a secondary email address (that had some data in the account tied to it, which was actually cleaned up) be sufficient evidence to tie all data in an account to a company?

        Still, not good to mix personal and business data. That just does not work and will result in more problems. Sure, we all agree that he should have opened a second Trello account tied to his work address, but hindsight is 20/20.

        1. Pascal Monett Silver badge
          FAIL

          Re: that data got removed when he quit

          Where is it indicated that it was removed ? there is absolutely nothing in the article about that.

  4. Giles C Bronze badge

    Hence the reason I have personal devices and work devices. I also won’t use personal credentials to log into any work services (not that I have a job at the moment)

    1. Anonymous Coward
      Anonymous Coward

      This.

      Ended up with work telling me they'd switched on 2FA on my work-provided PC and that I could use "my device" to log in--preferably using an app. At the time, I had no working mobile phone (I assumed that was the kind of device they were referring to) and said nope don't do that! They're still looking into other options. I'm not using my kit for my employee and definitely not letting them determine what software I install.

      Were I physically going into work right now, I'd still be leaving the new phone at home or at least switched off and in my bag.

      So, yes, 2 Github accounts, etc.

  5. Boothy Silver badge

    Would this come under GDPR or similar rules?

    Assuming the personal Trello contained actual personal data, the sort that GDPR would cover (or similar laws in other locations), and the person involved lived in the EU (or location covered by those similar rules), could they not report Trello/Atlassian for breach of GDPR, due to handing over access of said personal data to a 3rd party that had no right to it? (i.e ACME in this case).

    After all, GDPR and law in general, trumps any Ts&Cs a company might try to enforce.

    The same could then possibly be true for any 3rd party trying to do the same thing on other services.

    Just a thought anyway!

    1. Pascal Monett Silver badge

      Re: handing over access of said personal data to a 3rd party that had no right to it

      Again, what is your proof of that, given that the 3rd party was registered as secondary address ?

      How can you say that said 3rd party had no right to it and, more importantly, do you really think that there's a lawyer that is going to try that angle when the 3rd party was registered as a secondary address ?

      That you think that the 3rd party had no business accessing the data is not supported by fact, is what I'm saying.

      1. Anonymous Coward
        Anonymous Coward

        Re: handing over access of said personal data to a 3rd party that had no right to it

        GDPR requires explicit consent so it would be up to ACME to prove that they have a right to see his personal data.

      2. Boothy Silver badge

        Re: handing over access of said personal data to a 3rd party that had no right to it

        Quote: "How can you say that said 3rd party had no right to it..."

        If this was personal data, then under GDPR the subject, i.e. the person the data is about, has full legal control over what happens to that data. Any 3rd party wanting access has to, by law, gain explicit permission to do so.

      3. MOH

        Re: handing over access of said personal data to a 3rd party that had no right to it

        It's not up to the user to prove that the company has no right to their personal data.

        It's up to the company to demonstrate that they have a right to store and process the user's personal data.

        That you think the onus is on the user is not supported by law.

  6. Santa from Exeter

    Old e-mail

    The question in my mind is why he didn't remove the AQCME e-mail when he stopped working for them.

    A simple bit of sanitisation and housekeeping on his part could have saved all this hassle

    1. Jason Bloomberg Silver badge

      Re: Old e-mail

      Arguably the company should have unlinked the ex-employee's email from their projects. The ex-employee shouldn't need to worry if the company is giving them access they shouldn't have. That's the company's problem.

      But, whoever is to blame; it's simply not right that solely personal projects, never linked to the company, are no longer accessible.

    2. Anonymous Coward
      Anonymous Coward

      Re: Old e-mail

      The question in my mind is why he didn't remove the AQCME e-mail when he stopped working for them.

      I think he is implying Trello's UI provides no obvious way of achieving this.

      1. Pascal Monett Silver badge

        Still, that is an issue he should have raised when he left the company, not when he got bitten by the change years later.

      2. Dan 55 Silver badge
        Devil

        Re: Old e-mail

        And the canned reply at the end does not address this or the fact that his personal account was there first before the SSO switch was flipped and it got hijacked.

        I.e. Atlassian has no intention of fixing obviously wrong behaviour, which will come as no surprise at all to anyone who has to put up with Jira or Confluence.

  7. Jeroen Braamhaar
    Black Helicopters

    CLOUD

    Complete

    Loss

    Of

    Uncontrollable

    Data

  8. vogon00

    Yet another reason....

    ...to keep your professional and private accounts/data separate. I don't have much sympathy for people suffering from this....what did you expect?

    AFAIK most employment contracts have a clause in them that says anything done with employer's resources is the property of said employer....so if you get terminated you will probably loose it - especially if you are fired and immediately frog-marched off site*.

    Plan ahead, people, and plan for the worst:-) You are still (just about) the master of your own data's destiny.

    *Never suffered this myself though - employer's have always been 'polite' and reasonable.

    1. Getmo

      Re: Yet another reason....

      Don't forget about BYOD!

      Usually the egregious ToS contacts they make you accept before using the corporate apps allow them much more control over your personal device than most people realize. Remote wipe, for example.

      1. Boothy Silver badge

        Re: Yet another reason....

        That's why I've refused to add company email or office apps, innc Skype (for business) onto my phone. The phone is mine, not theirs, and the company no longer provides company phones.

        Due to SSO etc. You have to install a 3rd part app that becomes a remote admin on the phone, this enforces things like password rules (so no pin, fingerprint reader, face unlock etc allowed), encryption (done by default anyway these days, so meh), remote wiping etc.

        The only tool I have installed, was the token generator (for multi-factor logins), as this was a plain app that asked for no additional permissions.

  9. cpm86

    Cloud data is wispy

    Yes, cloud is great for flexing capacity or, at a personal level, giving access to devices and friends, but local sync and then proper backup is your friend - rclone, gyb and lots of automated scripts followed by veeam, restic, borg.....

  10. Frozit

    SSO is flawed

    The concept of SSO in a business environment works fine.

    As a personal choice, it fails. The basic flaw is if you link a bunch of external accounts to Facebook, Google, Microsoft or whatever is that if you lose that account for some reason, you have lost all your accounts.

    There is a story about someone losing their Google account because they posted a bunch of smiley's in a Youtube comment. Exactly what was posted is up for debate, but the damage caused way outweighs the supposed crime.

    1. Nunyabiznes Silver badge

      Re: SSO is flawed

      Absolutely.

      I had a personal email through my internet provider. I used that as a sign on for a couple of forums. When my provider was bought out they changed the email addresses of subscribers and then turned off the old accounts within a short period of time. Well that's all well and fine until I tried to sign on to said forums and could not because my email address was not valid.

      Oof. Luckily I was able to contact administrators and get access again. That could have gone sideways quickly and would have been my fault for not keeping a proper list of logins and updating them right away.

      1. vogon00

        Re: SSO is flawed

        +1 for the admission of liability!

    2. P. Lee Silver badge

      Re: SSO is flawed

      Yep - these cloud providers are publishers, not platforms and they do take an interest in your politics. Using them for SSO is foolish.

      Relying on anyone's goodwill on a day-to-day basis for the running of your business is foolish, unless at any time you can swap them out for a different provider with acceptable impact to your business.

      I just wouldn't do it. Keep you cloud, I'll just use my laptop.

    3. MachDiamond Silver badge

      Re: SSO is flawed

      "The basic flaw is if you link a bunch of external accounts to Facebook, Google, Microsoft or whatever is that if you lose that account for some reason, you have lost all your accounts."

      This is the same flaw with Amazon Prime. If you have a prime account and have videos and music libraries on that account and you are cut off for too many returned items or other vague ToS violation, the media library is gone too. That can also include all of the books/audiobooks you have on your Kindle or Kindle emulator. They just reach out and delete it.

  11. Anonymous Coward
    Anonymous Coward

    I've been unpicking my personal accounts from my work e-mail for a long time. It was convenient in the dialup days as it was hard to check the personal e-mail in the office. However in the modern age its much better to keep the two separate.

    I don't mind using cloud services like github but I only them to make life easier or as a secondary store. As others have said in most cases my primary copy is stored locally and backed up regularly.

    Unless the Atlassian UI makes it easy to delete an e-mail address you have lost access to then they have to shoulder some of the blame for this.

  12. whoseyourdaddy

    Remember the guy who pissed someone off as a reporter, so they social-engineered into his cloud photo storage and destroyed his life?

    You can tell I'm old. I keep an LTO tape drive and SAS Card from way back.

    I trust spinning metal more than flash but, it's not backed up unless it's on tape (about $6k in CAD training videos I would have to buy again.)

    just have to keep a spare working LTO-4 drive.

    1. vogon00

      +1 for the backup strategy.

      Co-incidentally, I needed some RTP audio despatch code I knew I wrote years ago. Finally found it on a 'backup' IDE hard disk...which briefly 'choked' on spin-up.

      OK, OK, I *know* I should have used tape....which for me means DAT. Still got two drives somewhere.

      1. Alan Brown Silver badge

        "which for me means DAT"

        Forget the drives. 4mm tape has always been spectacularly unreliable in the long term.

    2. Anonymous Coward
      Anonymous Coward

      M-DISC for archival

      I've been looking at M-DISC Bluray's for archival instead. eg:

      Seems like a safer bet than tape, just due to wider availability of bluray drives that can read them.

      LTO-4 drives will be around for a few years, but more recent generations (LTO-7 and above) won't be able to read the tapes.

      (Apologies for the formatting, the styling of lists by TheReg is fairly broken)

      1. Alan Brown Silver badge

        Re: M-DISC for archival

        "LTO-4 drives will be around for a few years, but more recent generations (LTO-7 and above) won't be able to read the tapes."

        It's worse than that.

        Owing to a media formulation change during LTO6, LTO7 won't read or write earlier versions as the abrasiveness of the older media can destroy heads in short order

        That breaks the entire "read/write -1 generation, read -2" that everyone's used to and is going to make migration a royal pain in the arse.

  13. bigtreeman

    Yours / Theirs

    And using the company laptop.

    The cloud reaches all your files and puts them on the cloud.

    I used my own (bought and paid) software for work when they wouldn't pay for their own software.

    I uninstalled my apps, but they still have copies.

    Apart from all their other pirated software they have now pirated my software.

    1. tiggity Silver badge

      Re: Yours / Theirs

      You could mention them to FAST or similar..

  14. low_resolution_foxxes Bronze badge

    Interesting user situation.

    Looking at the probable employer, I can certainly see why they might be a bit tetchy about security (critical energy/infrastructure, major global player, working in some very sensitive global locations). Although frankly I'm slightly surprised they use Trello...

    I laughed and thought "would never happen to me!" and then I realised, that for really stupid reasons (understandable IT fuckups) I think several of my accounts have a backup linked to my employer, it is not impossible that something similar could happen. Hell, one of my food delivery logins is my employers (it rejected my personal email due to "existing account", then said no such account exists!".

    In this case.. The ultimate confusion is ownership, the user opened the account, but settings were enforced by others. Tbfh, he fixed his own problem anyway.

    I was never entirely sure how much "business data" to put in a free Trello account. Sure, it's probably OK, but WHO can snoop? I'm talking, Chinese/Russian/Korean/USA software engineers, who could theoretically have data slurps from bad actors looking for company Intel /R&D and secrets?

  15. el-keef

    Atlassian make it hard to avoid this

    Atlassian have a history of merging accounts between personal and work - it's not that easy to avoid. I nearly lost all my personal Bitbucket content when leaving an employer because Atlassian had managed to combine my personal account with my work account despite me trying to keep them separate. I think it happened when they converted standalone Bitbucket accounts into Atlassian accounts, just as they're currently doing with Trello. Luckily I had a good relationship with the account manager at that company and managed to get it sorted out, but it took a while between us to figure out what we had to do.

    All the people saying "don't mix work and personal" - it really isn't that straightforward to avoid with Atlassian, they link stuff up behind the scenes without being explicit about it.

  16. FatGerman

    Work and Pleasure

    Why would anyone use their personal email for anything to do with work? Or vice-versa?

    I've worked at places where that would get you a very stern talking to. Plus, it's good for your health (mental, mainly) never to mix the two.

    Sorry, no sympathy for this guy. Needs to address his work-life balance.

  17. 96percentchimp

    I find your lack of empathy disturbing

    I'm surprised at how many commentards think this guy deserves no sympathy for his situation. He attempted to remove his former employer from his Trello account, but the second email couldn't be removed. That's particularly bad in this case, when the ability to work through multiple emails is touted as a feature of the service - the onus lies entirely on the operator to enable the user to manage their account fully.

    Sure, he shouldn't have mixed work and personal data, but life is rarely that simple and few people are capable of achieving the levels of anally retentive pedantry on which many top Reg commentards pride themselves. The superiority you feel might just be hubris waiting to bite you where it hurts.

  18. grizewald

    So easy to say

    So hard to do.

    "The obvious conclusion is: first, to back up data stored with external services..."

    Most cloud services like Trello don't offer any easy way to make a backup of your data, or if they do, it's normally in a way that loses the structure or uses some impenetrable proprietary format which only works on the cloud service in question.

    A fine example of the "no backup at all" is Photobucket. They make it very easy to put all your photos on their service, but the only way to download your own data from them is to go through each picture, one at a time, and manually download each one.

    I believe it's called "lock in by design".

  19. Twilight

    I understand this problem for some services. However, it makes no sense for Trello. As the subject of the article pointed out, the boards are associated with an email address (not just with the account) so it should be trivial for Trello to separate which ones are personal vs work.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020