All my old GitHub comments are credited to “ghost” now. I was somewhere in the first 12,000 GitHub accounts.
My relationship with GitHub significantly predated my dalliance with this one employer years ago. I trusted GitHub. My GitHub account was a formative part of my identity. I still can’t believe it and I still can’t forgive them. I lost some of my sparkle that day.
It's also why I oppose using social authentication with anything. While we have access to our [Facebook, Twitter, Github, Google, LinkedIn] account today, what happens if they shut it down? We have no clue of the real consequences and no appeals process. It's the worst of both worlds.
Do we have any protection besides moving to a new platform that's not big enough to betray its users yet?
I went through this with a Reddit account that got hacked. I was able to get the spammer shut down but had to create a new account, and really, it's okay. The people who know you will reconnect, and the others don't matter much.
It used to be that everyone got a new phone number when they moved, and we managed.
I feel like every netizen goes through this at one point of their life, where they trust an entity, get burned, and learn the lesson of never trusting another entity (100% without condition) again, keeping your data closer to yourself.
Much like in real life, where at one point you trusted some too much/naively, and after that point you're more careful, even of things/people you do trust.
Try suggesting that you can run a software business without using GitHub as your single point of failure^W^W^W^Wsource control system, and a lot of young developers will just laugh and wonder what you've been smoking.
Try challenging Apple's walled garden philosophy and suggesting that their mobile devices could implement standard protocols for transferring your own data on and off them directly like almost every other mobile device in the past decade, instead of relying on their not-properly-secured iCloud system, and plenty of Apple fans will wonder why you might care.
Even the HN community falls victim to this mentality from time to time. I find people here tend to be more rational about these issues than average, but any suggestion that one of the YC success stories that has become an HN idol has done something unwise or even bad can sometimes end up brutally suppressed.
It would be better, IMHO, if people kept in mind that behind these services they have allowed themselves to depend on so much is usually just a business, even if it's a big and famous one, and that businesses generally have no obligation to anyone to continue doing anything other than to the extent that either the law requires it or there is compensation changing hands and a contractual obligation.
I recently moaned and whined to my friend about how when i was growing up a person/entity (to my recollection) would feel.. like they received a magical gift just to send a message online.. having a web page was like.. winning the nerd superbowl.. Now it's like.. we are supposed to take a knee to any company that gets sufficient presence and significance (linkedin, etc trying to find a job).
What actions had you taken toward trying to remedy this ?
Isn't this how usernames started?
It's bizarre to see so many companies handle this in such a user-hostile way. It looks like a clear sign not to use Atlassian or Github for anything private. Makes me wonder if Gitlab might be next...
GitHub organizations should make this a non issue. I assumed that they’re mostly competent, but if literally any past job I had could pull the plug that’d be a huge problem.
The risk is just too big.
With login via email I can still be in control of that account no matter what.
At least my company doesn't host anything on public guthub (guthub for enterprises has everything) so they don't need to be connected. If you have personal and company stuff you are in trouble even if you separate them.
The multiple account login used to work the same way it works for github now. The boards were very clearly labeled under the email/username they were created and clearly had the ownership well defined. As soon as I left the company and my email was disabled, all the boards under that email disappeared from my account. This was expected and kept using my primary email (i always used to login with my username) and completely forgot about an attached secondary email (which anyways is now deactivated). Fast forward 5 years with tons of personal boards under this account, one morning it stopped working without any notification (yes i revised my spam to be sure about it) with all my data gone.
I started disentangling myself from Atlassian products a few years ago but I was still using Trello. Clearly that's going to have to stop.
No work stuff is hosted in my personal accounts, and work accounts are always created with a separate e-mail. I can just remove myself from everything work related without touching anything personal.
While I was working with a small group, we had our own domain and e-mail addresses as a perk. My relationship went sour with the lead of the project and, as a power move, she disabled my e-mail and other accounts related to that group, guessing that a lot of stuff is connected to this e-mail (since the domain was prestigious in that circles) and doing so will hurt me a lot.
Since only things related to the group/work was on that e-mail, literally nothing happened. I just broke off cleanly from the group and, a move designed to hurt me brought bliss to the parting process.
I have yet to figure out how to deactivate that.. but since they're separate users (vs secondary email), I don't think the same will happen. But who knows? Not me.
Good luck getting this straightened out.
I really don’t recommend using in-app dual logins (for example Gmail’s dual login), and stick to using separate Chrome profiles or Firefox profiles, so that none of the cookies are shared. Even with that, I’ve had surprises with my mobile phone number being the only shared information between two Google Ads accounts, and Google mixing my data, but avoiding sharing cookies is really important.
That is also what I recommend my employees. « You can use Facebook or Youtube at work, but not in the same Chrome profile. »
You don't need separate Firefox profiles for that, you can use Firefox containers.
I have all my data backed up. I won't use a device or service that does not allow me to back it up.
Nice open source self hosting alternative.
Would love to get feedback!
Subject: Your company ExampleCo will soon manage your Trello account
Good news! Your Trello account is getting an upgrade.
ExampleCo will now manage Trello accounts with a example.com email address,
which includes yours (mjd+trello@example.com).
It still sucks.
The lesson I take from this is: “Software as a service” is always a security risk. Unless my data is on my server, someone else owns it and might sell it to a higher bidder.
This is one of those “fool me twice, shame on me” moments.
I understood that these were separate accounts in separate systems, they just had the same email address attached to both because it was convenient to log into each system from separate workstations - a little bit like using a company phone for a personal telephone call. When one company (Atlassian) acquired the other (Trello), the "accounts" were merged by someone who has no taste.
> In the end, they need to be able to claim the content if an employee leaves the company.
I don't agree with this at all, and thankfully tort doesn't work this way.
> Mixing personal and company accounts or even accounts of several employers sounds dangerous to me.
Indeed. This is a big reason why I don't like to create "free" accounts, because I know unless I pay them, I cannot sue them for fucking something like this up.
They used to create an account using my professional contact email without asking, of course, and it would give me all sorts of problems with some SaaS services. Stuff similar to the ones in this post. Most of the time it was harmless (I'd lose access to another client), but it was always a headache.
The middle-of-the-road solution for me was to nicely ask them to remove it and use something like companyname@mydomain.com.
Of course the @mydomain.com solution didn't work for long as well (thanks, Salesforce), so I started using throwaway Google Accounts.
"Use another Trello account for anything not related to [my previous company]. Grab a new, free Trello account in seconds and move your vacation board (or whatever should be elsewhere!) to that one."
My former company is not even using Trello and everything I have there is personal. I created the Trello with my personal email and only afterwards added the company email to it to access some experimental board we never ended up using.
I didn't comply and instead just removed the company email from the account. I seriously don't see why I need to create a new account and move stuff for no reason at all. Why does the organisation email trump my personal one that I actually created the account with? Should I be worried?
Because the organization a) pays them money, and b) demands this. Enterprise offerings like SSO tend to support the legal and pseudo-legal aspect of the security theatre of enterprise space. So if you connect a company e-mail to your personal account, that account suddenly falls under whatever random policies organization's IT team implemented.
This process isn't too bad if you actively work at ExampleCo, but if you left it years ago and are still on some boards... yuck.
I was notified about the Apr 14 deadline by trello twice on both my personal (not connected to org in any way) and work email:
- on Jan, 30;
- on Feb, 29.
As much as I hate Atlassian for their other products this seems like a responsible timeline for such kind of change.
But you created the problem in the first place by adding your work email to an account that had your personal boards in it. By doing that you gave your employer a means of controlling that account. You basically planted a time bomb that could go off at some unpredictable time in the future. And it went off.
While I understand, the pain - I sympathize: please note that no permissions management system (or identity and authentication is so perfect that every case can be handled perfectly). As others say, you should have verified spent a bit of time to cleanup - because at the end - you lose time/money/whatever.
In the worst case, any company or even govt can just say sorry or some credits.
Even if the company is to blame 99 % you need to take 1 % responsibility.
See: Github - where you can SSO into your organization's repositories but this is completely separate from your personal repositories.
Clearly understand what "implication"? From what I can see, all Atlassian knows is that there is an account with two email addresses attached to it. They have no way of knowing which email belongs to the "right" owner of the account. That's something the two parties involved--the two owners of the two emails--need to work out between them, and then give Atlassian a common response.
Edit: you can't say what they did deliberately or not. They're doing what makes the most sense for their business. Almost no support team I know would give you access to this account.
- add your person email
- get fired and login with that email and now have all the data
Considering that it would be an invasion of privacy and confidentiality for Atlassian to access the content of the board to assess which one is corporate and which one is personal, Atlassian to the safer approach to satisfy a paying client.
Consider that as a free user, with no advertising to monetize you, one could guess that Trello used you for advetising (Unless you are a paying user for your personal account, that could change the story).
Of course I am not big fan of the approach, because the user probably linked personnal and work account for convenience, and that trello probably didn't make it easy to make the switch between work and personal.
On the other hand, how do you prove that an email address is a personal one ?
It seems like HN is in a sort of Goldilocks zone, where it isn’t as crowded as Twitter but gets enough attention that companies are pressured to respond. I’m not sure how replicable these characteristics would be to a platform tailored specifically to this customer service problem.
For example, it's hard to believe that an organisation not only handing over an obviously personal account to enterprise management but then failing to fix the problem when explicitly notified isn't in flagrant breach of the GDPR in Europe. The entire account tied to a personal identity could reasonably be considered personal data, which brings obligations in terms of properly managing and safeguarding that data and in terms of allowing the user to retrieve it and erase it, among other things.
I'm not generally a fan of how the GDPR was implemented in practice, but in cases like this, the sledgehammer-nut principle might well work in favour of the little guy. Going after both the hosting service and the former employer if they fail to disconnect the personal account and retain control over it when notified seems like exactly the sort of thing the regulators ought to be doing. This is such a flagrantly inappropriate policy that some sort of punitive fines to make an example don't seem out of the question.
Trello just notifided me that:
> At least one of the email addresses linked to your account belongs to an organization: [...] > This usually means it's a work email. If this organization begins using Atlassian products while this email address is linked, your account could become managed by that organization, which means you could potentially lose access. If you don't use Trello for work, just select a non-organizational email.
I use Trello myself, as well as in connection with several organizations. The idea that someone can "claim" and "manage" my account is outright ridiculous.
Even worse, in a show of incompetence, their "Confirm email" link doesn't work (times out because the server is seemingly down).
Now I'm no longer using Trello as I moved to tasksinabox.com 2 years ago, but I don't see why the information I have there should suddenly be transferred to a company, out of my control and without my permission, just because somewhere there is an email address with a company domain name attached.
I understand the old "lure shadow IT users in with a 'free' service, then offer IT to take back control at a price" scheme, it's a bit of a dark pattern, but then the per-existing users should have the option to opt out of the retroactive appropriation.
I do hope that once the 'confirmation' page comes up, there will be the option to remove the company email from the account, and assign a different address in its place.
As I got the same email from @trellis.coffee and assumed it was a phishing attempt.
Don’t connect your personal stuff to your work stuff. That’s messed me up more than once — lesson learned, painfully.
Should you lose your account over that?
This person’s warning email probably ended up in spam.
In general I’m not sure the best way Atlassian could have handled this. The recent upgrade to move @company.com accounts into having a better security posture and control by the administration of the company does make sense.
Perhaps the person’s account should have just been disabled entirely until they removed either their personal email or @company.com email from the account to choose which way they wanted to go... That might have been the best solution to both protect corporate security and also the individual.
Once you attach an email you don't control to the account--like your work email that your employer controls--then it isn't "your" account any more. You have given someone else a means of controlling it. The solution is to not do that.
It's now the team of Trello lawyers, AND the team of ACME company lawyers, against Sole Person and their lawyers.
From Trello's perspective, that is much more of a winnable battle then Trello V Person V ACME.
If you're likely to be sued by the loser on the side of a battle, get sued by the one with a smaller warchest.
And here is a list of national data protection authorities in Europe: https://edpb.europa.eu/about-edpb/board/members_en
I have provided GDPR consulting in the UK over the last three years.
What exactly do you think was a violation?
I guess people affected by this could submit a subject access request to get their data back.
I remember asking them every month years back their hand over to Atlassian - to create / enable backup codes functoonality.
Several months ago after changing countries and phones I discovered that my backup codes didn't work.
Their "support" offered me a "solution" - to delete all my boards associated with my email so that I could create fresh ones.
Zero apologies, zero explanation as of why my perfectly double-backed up 2FA codes were not working, all blames on me the user.
There were sensitive details for approx 16 projects collected daily over the span of 5 years.
That SSO 2FA is flawed the same way across all Atlassian products.
Never again would I trust my data to Atlassian.
WeKan is open source and welcome.
AVOID whenever possible sms-based 2fa. Use totp codes.
SMS makes your phone a single point of failure [1].
I currently use the OTP feature of keepassxc, so that I can still generate otp code but can have those codes replicated on my trusted devices. You can save the seed of the TOTP and re-install the otp on other devices too.
[1] plus you should really try and depend as little as possible on your smartphones. smartphones are the leash of the third millennium. the less you are dependant on it, the free-er you are.
From the Atlassian community page it looks like the Trello account in question was linked to both your personal gmail account and an email account belonging to your former employer. Was that Trello account only for work items for that former employer? Or was it a mixture of both work items for that employer and personal items for you? Or was it just your personal account that happened to have your work email as an alternate email address?
If it was just a work Trello acccount with your former employer, then I'm not sure why you would need access to that Trello account now that you're no longer with that employer. Atlassian is giving you the option of disconnecting your personal gmail from that account so you can create a new one if you want a personal Trello account.
If it was a mixture of work and personal items in the Trello account, then the obvious lesson learned for the future is to not do that.
If it was just your personal Trello account, I don't see why your previous employer would have a problem with telling Atlassian that it's not their account and that the email address in their domain can be removed.
In any case, it doesn't look to me like this situation is Trello's fault. You say in a comment on the Atlassian community page that "It is very evident from the reply that Atlassian favors corporate accounts over individuals", but I don't see that they are favoring either party here. In fact they are refusing to favor either party, by refusing to make a decision--which email the account "really" belongs to--that they should not be making. This is something the two parties involved--you and your former employer--need to work out. It's not something Trello should be deciding. They have no way of knowing which party--you or your former employer--is the "right" owner of this account.
It typically means they are making some changes to one of their products. The changes don’t benefit me at all, but do cause me disruption.
I think any warm feeling I had towards Atlassian evaporated with the whole HipChat-to-Stride-to-nothing fiasco.
1. “Good news! We are replacing HipChat with Stride, which is a worse product with less features”
2. Soon after, “Good news! To serve you better, we are discontinuing Stride.”
― Professor Hubert J. Farnsworth
Someone I've never met, talked to or been in the same room as. They live on the other side of the world.
I suspect some sort of IP-based cache has stored their cookie or a set auth-header.
Very creepy, Atlassian.
This whole situation makes me think I should steer clear of trello and clients that use it.
Personal stuff is personal, work stuff is work and ne'er shall the twain meet.
Using my employer's email addresses for services I want to control doesn't sound right. Of course, LinkedIn is a different story but for SaaS platforms like Trello, my employer should be the rightful owner of the data I store in there if I used it for work.
Imagine the other scenario, if that Trello account's control didn't move to the employer, the employee would still be keeping the content he created FOR the employer long after his employment has ended. I don't think that is cool.
Your data is your data, likewise, your employer's data is theirs. If you don't want any hassle, keep these two lives different.
Does that side project belong to you or to your company? If it belonged to you, why would you use office email ID for collaborating on it? and if it belonged to the company, why would you manage it on a personal Trello account?
Sorry to sound harsh, but unless I am missing something, to begin with, looks bad judgement on your part.
1. You use Trello to track work with your team.
2. You invite your team to use Trello using corporate email accounts.
3. Someone leaves the company. You decommission their corporate email.
4. Five years later, you find out that person still has access to all of your work trello boards.
At this point, I'd be flipping my shit and threatening to sue Trello.
Trello's response would be: sorry, the employee associated a 2nd personal account.
This would be unacceptable from a corporate access control perspective!
That's not how it works and not how it has worked.
It used to work like Github does, where access control to boards is by account, not by associated email addresses.
Very little information was provided about the migration. My company has multiple Atlassian accounts, so we weren’t even sure which account it was migrating to.
The whole thing was a weird janky process. Anyone with an email address should be able to register for an account and information should never be forcefully migrated or merged. In her case the only way out was to migrate to an account using a different email address.
Atlassian's MO
> Using a work email address with Trello
> At least one of the email addresses linked to your account belongs to an organization:
> <redacted>.com
> This usually means it's a work email. If this organization begins using Atlassian products while this email address is linked, your account could become managed by that organization, which means you could potentially lose access. If you don't use Trello for work, just select a non-organizational email.
In my case the "organization" is my personal domain. I'm guessing they classify any email address that isn't with a common free email provider to be a work email address.
How do I unfuck this situation while still employed with access to both my gmail and wor email?
I hope that all Europeans hit by this will make an issue out of this that will make Atlassian and other companies think twice before doing something like this again.
All their customers present and potential are seeing them do exactly the wrong thing ethically in order to take a side against an individual in favour of an employer.
Big gold star from corporate. Individual developers, rob them, that is fine. The customer is right. The user is not the customer.
The other way around. Taking a firm's IP and denying access to it while giving it to a former employee who did not own it. Words like theft would be bandied about freely.
Oh for the days of the rule of law and equality before it, huh?
And that's not good PR.
So never make the mistake to mix private with work.
I don't think Atlassian is to blame here. Maybe they could have communicated this better to the owner of the account. But if you own an account it does not mean you own the content if you used it for work.
If a company thinks they own something on that account, they should address that with the owner of the account. In court, if necessary. But companies just seizing your data like that should be illegal, and companies should not enable it. They certainly shouldn't proactively give your data to someone else.
Note that Youtube is also guilty of similar things, allowing companies to claim ownership of independent users' original works. There need to be stronger laws to crack down on such abuses.
I generally have little sympathy toward people expecting privacy on assets provided by the company, wether that be hardware or software. If you read your private email on a corporate asset, or enable sign-on with a corporate credential, all data can and should be inspected by your corporation. The fact that companies don't MitM _everything_ is what's surprising.
Sad because it’s my go to tool. It’ll hold on for a while longer but at some point they will turn it into some sort of Jira Kanban+
In the first stage, they should have already made the right decision, handing over the account to its rightful owner, without any hesitation. I hate companies favoring companies over individuals. I thought this was a mindset of old school businesses, not our current tech ones, the ones that build their success on us.
I was already reviewing new tools for organizing plans, today I'm removing all my boards and closing my account on Trello, as my civil response.
"Apathy is the tyrant's greatest ally."
"I've taken a look at your account, and ultimately, the problem is that the email address of your former employer was still attached to the Trello account. In their recent account claim, this triggered your employer to claim ownership of the Trello account, which is something Trello's terms allow Enterprises to do. Because the email address was still on the account, your employer identified it as an account that they should own, and ownership of this Trello account was transferred to your former employer, so no changes can be made to the account, and the company owns that account.
It sounds like you have personal content in this account that you want access to? Given the account ownership, that's not something that we can do on our end, unfortunately. If the company consented, they could remove your account from all company teams, and then we could remove the Enterprise association, but that's something you'd need to explore with them, if they'd be willing to do that."
1. Remove the example.com address from your account. Warning: You will lose access to all boards shared with this email address.
2. Accept the SSO migration. Warning: You will no longer be able to sign in with your Trello email and password.
If this is how Microsoft support works for real, no wonder the scammers getting people to install malware are successful).
The Internet gives, and the Internet takes away.
You simply can't trust any corporation to do the right thing and GAF about people's right to privacy or access to their own information.
I think whoever solves the problem of making it easy to offer web application services while allowing users to own, protect and backup their own data will be rewarded.
You know, the one thing nice about using a cloud service is that your data is just there, nice and safe. You know, usually.
I contacted Atlassian support via my personal email account and they informed me that somehow my subscription is tied to my personal account, but I need to use my former work email to login.
I can't do that, so I've lost access to all my personal boards and apparently to my Gold Subscription too.
I also never, ever, for any reason, no matter what, no matter where, or who, or who I am with, or where I am going, or where I've been... ever, for any reason whatsoever link a business email account to a personal account. I use different browser profiles and keep all that stuff segregated.
I really think the future needs to look more at "master" accounts with Azure/AWS and similar services, make it much easier to delegate access to third parties so that the third party contains the core logic/application but the data resides fully with your own account.
Data ownership is so important and overlooked by so many people who want an easy life and want to forget physical servers to look after.
If someone uses a 'personal' email for setting up their business' trello account (including what could be categorized as trade secrets); and at some point in the future, they added a different companies domain to their account as a secondary login; and then Trello hands everything over to that other company; how isn't that a violation of trade secrets?
For some reason, they listed my cheap tier license under the work email. I still have no idea how this happened except for maybe laziness by some Atlassian support person.
Convenience is cool, the fact that one or more third parties has control of your account on the saas service is less cool
also not so hot that it's used for login and information sharing. I had an experience where I read the oauth permissions carefully on a first login, and then on a subsequent login the app included contacts in the permission set. I noticed it too late. Super shady & I'll never use oauth personally again.