
Trello handed over my personal account to my previous company - shashanktomar
https://community.atlassian.com/t5/Trello-questions/Personal-gmail-account-claimed-by-SSO-can-t-login-anymore/qaq-p/1293750
======
shashanktomar
From the comments, there is some confusion about why did i attach my personal
email to a company account. That was not the case, let me clarify it. I
created my personal account long before Trello was acquired by Atlassian. It
did not have any SSO at that point and the login was with username and
password. At some point, while working on a side project and to share it with
a teammate, I attached a secondary email to my account and created few boards
under it. This email was my companies email @company.com

The multiple account login used to work the same way it works for github now.
The boards were very clearly labeled under the email/username they were
created and clearly had the ownership well defined. As soon as I left the
company and my email was disabled, all the boards under that email disappeared
from my account. This was expected and kept using my primary email (i always
used to login with my username) and completely forgot about an attached
secondary email (which anyways is now deactivated). Fast forward 5 years with
tons of personal boards under this account, one morning it stopped working
without any notification (yes i revised my spam to be sure about it) with all
my data gone.

~~~
alexis_fr
Atlassian is not the only one who wrecked login by implementing SSO across all
their instances.

I really don’t recommend using in-app dual logins (for example Gmail’s dual
login), and stick to using separate Chrome profiles or Firefox profiles, so
that none of the cookies are shared. Even with that, I’ve had surprises with
my mobile phone number being the only shared information between two Google
Ads accounts, and Google mixing my data, but avoiding sharing cookies is
really important.

That is also what I recommend my employees. « You can use Facebook or Youtube
at work, but not in the same Chrome profile. »

~~~
shock
> separate Chrome profiles or Firefox profiles, so that none of the cookies
> are shared.

You don't need separate Firefox profiles for that, you can use Firefox
containers.

~~~
znpy
> You don't need separate Firefox profiles for that, you can use Firefox
> containers.

Firefox Containers are awful.

Only firefox profiles can give you true separation.

It would have been better if Mozilla had added a better interface to profiles.

~~~
ssorallen
> It would have been better if Mozilla had added a better interface to
> profiles.

Profiles in Chrome and their ease of use (Cmd+Shift+M to open a new window in
a different profile) is the _primary_ reason I still use Chrome over Firefox.
I have a Personal, a Work, and a Development profile. The development profile
is where I install dev extensions like React Devtools, Redux Devtools, etc.
because they require full access to all sites in order to function. I don’t do
regular web browsing with devtools installed. These tools seem trustworthy,
but why risk giving them access to everything I do on the web?

I’ve tried Firefox Containers and can’t find the same power and ease of use
Chrome Profiles have.

~~~
alexis_fr
Upside of Chrome profiles: Use a bright red theme for prod sysadmin profile,
and blue for work. So you never type « p... » on your work profile by
mistake... Don’t laugh, usage is widespread.

~~~
ssorallen
I do exactly this too: I have 3 distinctly different themes for the three
profiles I use. A split second glance at the color of the tab bar informs me
which profile I'm working with.

------
dreyfiz
GitHub did this to me a few years ago. I still feel violated. Not by my idiot
former employer. I feel violated by GitHub. I got my account back. Sort of.
They detached a significant amount of my content from my account, and returned
to me a gimpy lobotomized version of myself.

All my old GitHub comments are credited to “ghost” now. I was somewhere in the
first 12,000 GitHub accounts.

My relationship with GitHub significantly predated my dalliance with this one
employer years ago. I trusted GitHub. My GitHub account was a formative part
of my identity. I still can’t believe it and I still can’t forgive them. I
lost some of my sparkle that day.

~~~
snack_man
The specter of this sort of violation hangs over the shoulder of every
internet user now - the loss of an account on a service like Facebook, GitHub,
or Trello could be life-altering. Our digital selves are all at risk of
becoming The Trial's protagonist.

Do we have any protection besides moving to a new platform that's not big
enough to betray its users yet?

~~~
ZWoz
Unix graybeards selfhost. That saying "cloud is someone else's computer." is
relevant here. Now, you can ask, what self-hosting really means and that is
complicated. Does rented server count? Colocation? Or only way is own
premises? I have worked places, where last one is hard requirement. Generally
though, I am pleased with colocation, some places even have customer provided
locks on racks. But even if you have cheap VPS, at least you can backup it
(regularly and before troubles) and restore some other place. With SaaS, you
can't always have export in nice and useful form.

~~~
Silhouette
The funny thing is, _everyone_ used to self-host. A home ISP account typically
came with an email address, some space to host a website, etc. Of course you
could set up other facilities as well, but even without that, you had control
of the storage. The Web was full of articles on how to build your first home
page, which plenty of non-geek people managed to do just fine.

The biggest danger back then was probably that if you changed ISP then you'd
lose access to your old email address. That's still a danger with any email
hosting service, including the likes of Google that people often use instead
today, and it's why I advocate everyone registering their own domain for life.
Email is still the root password to your online existence in almost every
case, and letting any third party have more control of it than is strictly
necessary is a really, really bad idea.

I would love to see a move back in that direction, which home ISP accounts
allowing access to some sort of "starter kit" home server in the same way they
probably provide most customers' starter modem/router/wifi equipment already,
and with more software built that was aimed at being self-hosted and accessed
via your home network or remotely through a VPN.

Sadly, I think this is unlikely, because there's just too much momentum behind
the massive social networks and other online services. So instead, every now
and then, a large chunk of someone's online life is going to get wiped out by
the kinds of poor policies we're talking about today.

~~~
hamlsandwich
> A home ISP account typically came with an email address, some space to host
> a website

But that's not really self-hosting is it? If my ISP can decide to poke around
in my user folder and there's nothing I can do about it?

~~~
Silhouette
No, it's not, but it's a lot closer than using some intermediary service, and
it's convertible to true self-hosting if you find you need to later because
the data is all under your own control and ownership throughout.

------
mjd
They emailed me about this back on January 30:

    
    
      Subject: Your company ExampleCo will soon manage your Trello account
       
      Good news! Your Trello account is getting an upgrade.
      
      ExampleCo will now manage Trello accounts with a example.com email address,
      which includes yours (mjd+trello@example.com).
    

The "Good news" part looked like marketing bullshit, but the rest of the
message was menacing enough that I was able to contact them by email and get
instructions about how to avoid having my personal Trello handed over to
ExampleCo.

It still sucks.

The lesson I take from this is: “Software as a service” is _always_ a security
risk. Unless my data is on _my_ server, someone else owns it and might sell it
to a higher bidder.

This is one of those “fool me twice, shame on me” moments.

~~~
dx034
Isn't it standard to open separate accounts for companies? My employers
would've never even allowed me to use a personal account or personal email for
business content. In the end, they need to be able to claim the content if an
employee leaves the company. Mixing personal and company accounts or even
accounts of several employers sounds dangerous to me.

~~~
geocar
> Isn't it standard to open separate accounts for companies?

I understood that these were separate accounts in separate systems, they just
had the same email address attached to both because it was convenient to log
into each system from separate workstations - a little bit like using a
company phone for a personal telephone call. When one company (Atlassian)
acquired the other (Trello), the "accounts" were merged by someone who has no
taste.

> In the end, they need to be able to claim the content if an employee leaves
> the company.

I don't agree with this at all, and thankfully tort doesn't work this way.

> Mixing personal and company accounts or even accounts of several employers
> sounds dangerous to me.

Indeed. This is a big reason why I don't like to create "free" accounts,
because I know unless I pay them, I cannot sue them for fucking something like
this up.

~~~
rileymat2
Why is payment relevant to lawsuits?

~~~
naasking
Easy to show you suffered financial loss, potentially also makes for a strong
contract violation case.

------
0k
Beware the Atlassian's SSO "2 factor authentication" (2fa).

I remember asking them every month years back their hand over to Atlassian -
to create / enable backup codes functoonality.

Several months ago after changing countries and phones I discovered that my
backup codes didn't work.

Their "support" offered me a "solution" \- to delete all my boards associated
with my email so that I could create fresh ones.

Zero apologies, zero explanation as of why my perfectly double-backed up 2FA
codes were not working, all blames on me the user.

There were sensitive details for approx 16 projects collected daily over the
span of 5 years.

That SSO 2FA is flawed the same way across all Atlassian products.

Never again would I trust my data to Atlassian.

WeKan is open source and welcome.

~~~
znpy
THIS.

AVOID whenever possible sms-based 2fa. Use totp codes.

SMS makes your phone a single point of failure [1].

I currently use the OTP feature of keepassxc, so that I can still generate otp
code but can have those codes replicated on my trusted devices. You can save
the seed of the TOTP and re-install the otp on other devices too.

[1] plus you should really try and depend as little as possible on your
smartphones. smartphones are the leash of the third millennium. the less you
are _dependant_ on it, the free-er you are.

~~~
raziel2p
nowhere does the parent mention SMS - they're talking about backup codes,
which exist regardless of whether you use TOTP or SMS or something else.

------
whalesalad
Atlassian, at its core, is a software integrator. They buy stuff and add it to
the heaping pile of duct tape garbage they’re schlepping. Trello is just
another skull and crossbones on their long list of pillages. It was only a
matter of time before the integration got some steam and the atlassian cancer
began to take residence.

Sad because it’s my go to tool. It’ll hold on for a while longer but at some
point they will turn it into some sort of Jira Kanban+

------
jwr
I have a single E-mail account that I use for everything. I decided more than
~20 years ago that my E-mail is tied to my identity and not to any particular
E-mail service or employer, and I started managing my E-mail myself.

Trello just notifided me that:

> At least one of the email addresses linked to your account belongs to an
> organization: [...] > This usually means it's a work email. If this
> organization begins using Atlassian products while this email address is
> linked, your account could become managed by that organization, which means
> you could potentially lose access. If you don't use Trello for work, just
> select a non-organizational email.

I use Trello myself, as well as in connection with several organizations. The
idea that someone can "claim" and "manage" my account is outright ridiculous.

Even worse, in a show of incompetence, their "Confirm email" link doesn't work
(times out because the server is seemingly down).

~~~
PeterStuer
Just received the same email, and had the same experience as you. Servers are
not responding.

Now I'm no longer using Trello as I moved to tasksinabox.com 2 years ago, but
I don't see why the information I have there should suddenly be transferred to
a company, out of my control and without my permission, just because somewhere
there is an email address with a company domain name attached.

I understand the old "lure shadow IT users in with a 'free' service, then
offer IT to take back control at a price" scheme, it's a bit of a dark
pattern, but then the per-existing users should have the option to opt out of
the retroactive appropriation.

I do hope that once the 'confirmation' page comes up, there will be the option
to remove the company email from the account, and assign a different address
in its place.

~~~
mattmanser
Did it actually come from @trello.com?

As I got the same email from @trellis.coffee and assumed it was a phishing
attempt.

~~~
thedufer
I'm a former Trello employee - trellis.coffee is the domain the primary dev
server is hosted at. It sounds like they failed to excise your email address
from the dev database (at least, that's what we did when I worked there).

~~~
mattmanser
It's concerning that they're obviously copying production data to a dev
database.

------
JMTQp8lwXL
In this day and age, sharing this community forum discussion here is the only
way to get resolution. I'm happy helping people out and tweeting my
displeasure with companies, but we need some way to scale this. We can't just
help the people that get enough publicity. We think we're helping, and we are,
but only a small amount of situations end up getting front paged.

~~~
chatmasta
Interesting idea re: scaling. I agree this is a pattern we see time and time
again with different companies on here. I wonder what a service built around
this idea might look like? It’s basically outsourced customer service, isn’t
it?

It seems like HN is in a sort of Goldilocks zone, where it isn’t as crowded as
Twitter but gets enough attention that companies are pressured to respond. I’m
not sure how replicable these characteristics would be to a platform tailored
specifically to this customer service problem.

~~~
g_delgado14
I don't think technology will be a long term solution. What I think the
industry needs is tighter regulation and incentives for companies to not "move
fast and break things", lest they get slapped with large fines. The issue is
that I don't think the majority of politicians are informed on the social cost
of, say, not serving a website over HTTPS or encrypting data at rest. Until
then, this sort of thing will keep on happening because ultimately companies
don't have a disincentive to do otherwise.

------
mindB
In 2016 I lost access to some repos on bitbucket after a similar occurrence. I
made the mistake of using my (student) university email account to register
with bitbucket (it was the primary email account I used for everything at the
time). At some point, my university apparently decided to use Atlassian
services which completely disabled any ability I had to login to that account.
I don't know if linking together all accounts under a domain is just the
default behavior from Atlassian or if both this former employer and my
university decided to screw people over, but either way it's a stupid
situation and unsurprising at this point.

~~~
shashanktomar
In this case, I did not even use the company email. I was my personal gmail.

~~~
pdonis
_> In this case, I did not even use the company email. I was my personal
gmail._

From the Atlassian community page it looks like the Trello account in question
was linked to both your personal gmail account and an email account belonging
to your former employer. Was that Trello account only for work items for that
former employer? Or was it a mixture of both work items for that employer and
personal items for you? Or was it just your personal account that happened to
have your work email as an alternate email address?

If it was just a work Trello acccount with your former employer, then I'm not
sure why you would need access to that Trello account now that you're no
longer with that employer. Atlassian is giving you the option of disconnecting
your personal gmail from that account so you can create a new one if you want
a personal Trello account.

If it was a mixture of work and personal items in the Trello account, then the
obvious lesson learned for the future is to not do that.

If it was just your personal Trello account, I don't see why your previous
employer would have a problem with telling Atlassian that it's not their
account and that the email address in their domain can be removed.

In any case, it doesn't look to me like this situation is Trello's fault. You
say in a comment on the Atlassian community page that "It is very evident from
the reply that Atlassian favors corporate accounts over individuals", but I
don't see that they are favoring either party here. In fact they are
_refusing_ to favor either party, by refusing to make a decision--which email
the account "really" belongs to--that they _should not_ be making. This is
something the two parties involved--you and your former employer--need to work
out. It's not something Trello should be deciding. They have no way of knowing
which party--you or your former employer--is the "right" owner of this
account.

~~~
shashanktomar
I will try to set some context here. I created my personal account long before
Trello was acquired by Atlassian. It did not have any SSO at that point and
the login was with username and password. At some point, while working on a
side project and to share it with a teammate, I attached a secondary email to
my account and created few boards under it. This email was my companies email
@company.com

The multiple account login used to work the same way it works for github now.
The boards were very clearly labeled under the email/username they were
created and clearly had the ownership well defined. As soon as I left the
company and my email was disabled, all the boards under that email disappeared
from my account. This was expected and kept using my primary email (i always
used to login with my username) and completely forgot about an attached
secondary email (which anyways is now deactivated). Fast forward 5 years with
tons of personal boards under this account, one morning it stopped working
without any notification (yes i revised my spam to be sure about it) with all
my data gone.

~~~
pdonis
_> At some point, while working on a side project and to share it with a
teammate, I attached a secondary email to my account and created few boards
under it. This email was my companies email_

This makes it seem like it's the third of the options I mentioned (personal
account which happens to have a work email as an alternate email). But what
you say a little further on (quoted below) makes it clear that it's the
second: you used the same Trello account for both personal and work items. If
the account had access to the company's boards, it's not just your personal
account any more. It's a mixed work/personal account (which, as I and others
in this thread have said, is not a good idea).

 _> As soon as I left the company and my email was disabled, all the boards
under that email disappeared from my account._

But you apparently didn't remove that company's email from the Trello account.
That's water under the bridge now, but in any case it seems like the company
ought to be fine with telling Atlassian that you're no longer working for them
and the email under their domain can be removed from the account.

What you seem to be wanting, though, is for Atlassian to just go ahead and
erase that company's email from the account, or otherwise disconnect that
account totally from the company so you can use it again, _without_ any
agreement from the company that that's ok. I don't see why Atlassian should do
that.

~~~
mercer
Surely the sensible option would be for Atlassian to allow you to keep all
your personal boards and only show the work-email boards if you sign in, or
allow you to 'disconnect' from those?

And if this is technically difficult to do (because boards are not obviously
linked to email addresses, or whatever), then that's still on them, but also
solvable: allow you to remove BigCo email and just not give you access to any
BigCo boards.

If you happened to have created a board yourself for BigCo, then that's still
available to you. And if that's not acceptable for Atlassian, they should make
boards more obviously connected to email addresses. Or something similar.

The equivalent to the current situation would be to allow you to add BigCo
email to your personal Drobox account (for ease of logging in), and then
remove you from the entire account when BigCo revokes your access. That's
extremely unexpected!

~~~
yardie
And in fact this used to be how it worked. Work boards showed up in a separate
section that was clearly defined as enterprise. So my private work boards,
team boards, and template boards were there. My family and personal boards
were under my username. And it worked like this for years. Sans souci

~~~
mercer
So we can conclude that Atlassian started its journey fucking up Trello?

~~~
yardie
Not only did they fuck it up. It was implicitly used as a feature. If you can
attach multiple email accounts to a service then of course you would attach
your work email to it.

The real devious behaviour was assigning your entire account to another entity
to manage and without your permission. I've had to create a new account, ask
the enterprise account manager to remove my account, and move my cards to
another account. I've been using the account for 9 years and created many
small integrations. Why would I want to give that up? Now my workflow is
broken because the Trello app only allows one login so I have to decide is it
going to be work or personal that I'm viewing because I can't do both.

~~~
efreak
> the Trello app only allows one login so I have to decide is it going to be
> work or personal that I'm viewing because I can't do both.

If you're on Android, use Island or another app to set up a local Work
account; you can now install a second instance of any app under the same
profile, and log it into a different account. I'm unaware if iOS has similar.

------
stevoski
Whenever I get a “Good news! We’re changing things” email from Atlassian, I
get an ominous feeling.

It typically means they are making some changes to one of their products. The
changes don’t benefit me at all, but do cause me disruption.

I think any warm feeling I had towards Atlassian evaporated with the whole
HipChat-to-Stride-to-nothing fiasco.

1\. “Good news! We are replacing HipChat with Stride, which is a worse product
with less features”

2\. Soon after, “Good news! To serve you better, we are discontinuing Stride.”

~~~
discordance
"Good news, everyone. Tomorrow you'll be making a delivery to Ebola 9, the
virus planet."

― Professor Hubert J. Farnsworth

~~~
thaumasiotes
"In our quest to improve our service for you, the user, we're making it worse"

[http://chainsawsuit.com/comic/2017/12/07/improvements/](http://chainsawsuit.com/comic/2017/12/07/improvements/)

------
agotterer
Someone at my company had a Trello account they setup with their work email
and recently received an email that said the account was being migrated to an
existing Atlassian account. Since her email address matched the domain
operated by that Atlassian account all of her todos would be migrated to that
account.

Very little information was provided about the migration. My company has
multiple Atlassian accounts, so we weren’t even sure which account it was
migrating to.

The whole thing was a weird janky process. Anyone with an email address should
be able to register for an account and information should never be forcefully
migrated or merged. In her case the only way out was to migrate to an account
using a different email address.

~~~
g_delgado14
> The whole thing was a weird janky process

Atlassian's MO

------
yodon
We had one of these at work earlier this year, except a 3rd party contractor
suddenly found that their Atlassian account, including all their other
clients, were now listed as part of our account. Neither we nor they wanted
this.

------
boraoztunc
After seeing the comment from Blair at Atlassian on Community forum, I also
noticed that Support Team replied with a lot more care seeing that the
conversation went public. Not good.

In the first stage, they should have already made the right decision, handing
over the account to its rightful owner, without any hesitation. I hate
companies favoring companies over individuals. I thought this was a mindset of
old school businesses, not our current tech ones, the ones that build their
success on us.

I was already reviewing new tools for organizing plans, today I'm removing all
my boards and closing my account on Trello, as my civil response.

"Apathy is the tyrant's greatest ally."

------
antoncohen
Trello sent me this email today:

> _Using a work email address with Trello_

> At least one of the email addresses linked to your account belongs to an
> organization:

> <redacted>.com

> This usually means it's a work email. If this organization begins using
> Atlassian products while this email address is linked, your account could
> become managed by that organization, which means you could potentially lose
> access. If you don't use Trello for work, just select a non-organizational
> email.

In my case the "organization" is my personal domain. I'm guessing they
classify any email address that isn't with a common free email provider to be
a work email address.

~~~
Aeolun
That’s on par with ‘things programmers believe about names’. What an idiotic
conclusion.

------
Mandatum
So I just clicked on that link with a private browsing window and I'm logged
in as someone else in my org's account.

Someone I've never met, talked to or been in the same room as. They live on
the other side of the world.

I suspect some sort of IP-based cache has stored their cookie or a set auth-
header.

Very creepy, Atlassian.

~~~
mkj
Sounds more like a MITM https proxy at your org.

~~~
Mandatum
No additional root certs installed on this device. Checked the keychain, it's
OK.

------
frenchman99
Always keep separate personal and company accounts. If not for security
reasons, then for privacy reasons. Mixing them usually yields little benefit
anyway.

~~~
ScottFree
Let's take the personal out of it: what if you're a freelancer or a contractor
and the email and account used (and subsequently lost access to) was your
professional email and account? Something like scott@freetechnologies.com?

This whole situation makes me think I should steer clear of trello and clients
that use it.

~~~
quanticle
If you're a freelancer or a contractor, and you're doing work for someone who
uses Trello to manage projects, you should sign up with a throwaway e-mail
address. That's what I do for Github. That way, if that organization then
decides to wipe the account or mess around with its permissions after I've
stopped working for them, it's no skin off my back.

Personal stuff is _personal_ , work stuff is _work_ and ne'er shall the twain
meet.

~~~
danielhlockard
The github bit doesn't make any sense. When you leave you just get kicked from
the org...

~~~
franciscop
I also separate Github personally and professionally as a FTE. In most
countries the company where you work has full access to your work computer,
which implies also to your personal github and everything related to it.

As a freelancer they don't have access to your computer so things are
different.

------
BerislavLopac
The exact same thing happened to me. This was the Trello support team
response:

"I've taken a look at your account, and ultimately, the problem is that the
email address of your former employer was still attached to the Trello
account. In their recent account claim, this triggered your employer to claim
ownership of the Trello account, which is something Trello's terms allow
Enterprises to do. Because the email address was still on the account, your
employer identified it as an account that they should own, and ownership of
this Trello account was transferred to your former employer, so no changes can
be made to the account, and the company owns that account.

It sounds like you have personal content in this account that you want access
to? Given the account ownership, that's not something that we can do on our
end, unfortunately. If the company consented, they could remove your account
from all company teams, and then we could remove the Enterprise association,
but that's something you'd need to explore with them, if they'd be willing to
do that."

------
sbrother
This is scary. I’m trying to understand - I have several Trello accounts, one
that I use for my own personal work and some consulting clients, and several
other accounts with @client.com emails. Does this mean that if I have my
personal account added as a secondary email anywhere on a client owned board,
they can take control of my personal account including other clients’ IP? If
so that’s terrifying and we need to find alternatives ASAP.

~~~
shashanktomar
That is precisely what happened to me.

~~~
austhrow743
Elsewhere you wrote that the opposite scenario happened to you. You tainted
your personal account with a work email. This person is worried about tainting
their personal email with a work account.

~~~
shashanktomar
It's evident from their reply that they do not care about a primary or a
secondary email. In my case the company email was secondary, in this case it
is primary.

------
praestigiare
Easy answer: "An email address attached to your account is being set up for
SSO. You must update your account:

1\. Remove the example.com address from your account. Warning: You will lose
access to all boards shared with this email address.

2\. Accept the SSO migration. Warning: You will no longer be able to sign in
with your Trello email and password.

------
Legogris
OT, but I had this with Azure. My MS account was tied to the AD of a previous
customer. Can not access Azure dashboard or services at all. 5 years later and
still not resolved, despite numerous e-mails, phone calls, with several people
(they even insisted I install a .exe file in order to be able to do
screensharing. It took some persistance to make them accept that I shouldn't
have to install Windows and install a binary just to be able to restore my
account. That was about 6 months ago.

If this is how Microsoft support works for real, no wonder the scammers
getting people to install malware are successful).

------
downerending
A reasonably well-known blogging site handed my account to a would-be porn
star while I wasn't looking. That link is now way more interesting. And while
it was linked to my LinkedIn. Yikes.

The Internet gives, and the Internet takes away.

------
brentis
My company recently started using trello and noted my old login was hijacked
somehow and associated with my work domain.

How do I unfuck this situation while still employed with access to both my
gmail and wor email?

~~~
saagarjha
Ask someone in your company to disassociate you?

------
logicuce
Seems like unpopular opinion given comments on this thread, but here it is
anyway.

Using my employer's email addresses for services I want to control doesn't
sound right. Of course, LinkedIn is a different story but for SaaS platforms
like Trello, my employer should be the rightful owner of the data I store in
there if I used it for work.

Imagine the other scenario, if that Trello account's control didn't move to
the employer, the employee would still be keeping the content he created FOR
the employer long after his employment has ended. I don't think that is cool.

Your data is your data, likewise, your employer's data is theirs. If you don't
want any hassle, keep these two lives different.

~~~
shashanktomar
I believe that is not entirely true. Here is the explaination
[https://news.ycombinator.com/item?id=22874704](https://news.ycombinator.com/item?id=22874704)

~~~
logicuce
You created a _Side Project_ but used your company's email ID to share it with
your teammate at work.

Does that side project belong to you or to your company? If it belonged to
you, why would you use office email ID for collaborating on it? and if it
belonged to the company, why would you manage it on a personal Trello account?

Sorry to sound harsh, but unless I am missing something, to begin with, looks
bad judgement on your part.

------
scoot_718
If this happened in my country that would breach privacy laws. It might also
constitute hacking depending on what kind of administration the company does.

~~~
mcv
I agree. This sounds a gross violation of EU data privacy laws. Not every
country has those kind of data protections for their citizens, unfortunately.

I hope that all Europeans hit by this will make an issue out of this that will
make Atlassian and other companies think twice before doing something like
this again.

------
harry8
This is fantastic PR for Atlassian.

All their customers present and potential are seeing them do exactly the wrong
thing ethically in order to take a side against an individual in favour of an
employer.

Big gold star from corporate. Individual developers, rob them, that is fine.
The customer is right. The user is not the customer.

The other way around. Taking a firm's IP and denying access to it while giving
it to a former employee who did not own it. Words like theft would be bandied
about freely.

Oh for the days of the rule of law and equality before it, huh?

~~~
Aissen
If a CISO looks at this, she might think "great, so anyone entering a
commercial relationship with Atlassian can now eventually take control of the
boards of some of my employees ?".

And that's not good PR.

------
JiNCMG
The question that I have is... Will the control panel show the multiple
addresses and can you delete one off. I just checked both accounts (personal
and company) and they seem separate. In everything I do I always keep my work
account separate from my personal accounts. I use separate browsers, never
check personal email on company PC or network.

------
maest
What happens if I associate my Trello account with my personal gmail address
and two different corporate emails? (from different corporations). Who wins
between CorpA and CorpB?

------
hoppla
Sounds to me that Trello should have asked users to unlink any old accounts in
good time before making this move

~~~
mcv
And what if the user is on vacation or in the hospital or something? Such a
dramatic change to your account should be opt-in, not opt-out.

------
brentis
Too soon to start talking about Trello Alternatives or should we give them
another 5 minutes?

~~~
kyleee
Never too soon to talk about alternatives to Atlassian services

------
snack_man
Unbelievable. I've been waiting for the other shoe to drop since the Atlassian
acquisition, now strongly reconsidering my Trello usage. What's an easy
platform to migrate my data to?

------
gravypod
Does anyone have a good suggestion for ergonomic and functional ticket systems
you can self host? Preferably with some board management? This is personally
my key take away from this.

------
_wldu
I have seen 'secure storage' companies pitch to our management that 5,000
users with @example.com emails already use the personal version of the service
offered by the company. Now, I'm wondering if we bought the 'enterprise'
version of the service if the same thing would happen to these users. If so,
it seems the users ought to be given a choice to convert to the enterprise
version or change emails beforehand so they can keep their own personal
service intact.

------
subjectnull
I'm not blaming you by any stretch but this just further reinforces my view
that everyone should be self-hosting wherever they can.

You simply can't trust any corporation to do the right thing and GAF about
people's right to privacy or access to their own information.

I think whoever solves the problem of making it easy to offer web application
services while allowing users to own, protect and backup their own data will
be rewarded.

------
arh68
Do any accounts have 2 work emails tied to them, I wonder? Would they hand it
to Company A, who would gain whatever IP of Company B that was still in the
account? Would they arbitrate who gets what?

You know, the _one thing_ nice about using a cloud service is that your data
is just _there_ , nice and safe. You know, usually.

------
rsre
I'm on the same boat.

I contacted Atlassian support via my personal email account and they informed
me that somehow my subscription is tied to my personal account, but I need to
use my former work email to login.

I can't do that, so I've lost access to all my personal boards and apparently
to my Gold Subscription too.

------
megavolcano
This is why I don't use SSO for personal affairs, unless required. The
convenience is not worth it to me, especially because I just use a password
manager to log me in anyway. The provider will just cut you off at a moment's
notice and then tell you to shove it. Besides, logging in is faster than
having to be redirected to another page just to use my password manager to log
in to my google account, redirect me back and then I'm in...just log in
directly.

I also never, ever, for any reason, no matter what, no matter where, or who,
or who I am with, or where I am going, or where I've been... ever, for any
reason whatsoever link a business email account to a personal account. I use
different browser profiles and keep all that stuff segregated.

------
savolai
Heads up: Notion works surprisingly well for trello boards, and they have
import functionality straight from Trello. The only thing that didn’t import
afaik is card tags/labels that didn’t have a name so I had to reimport after
adding names to tags/labels.

------
lki876
This sounds like a major GDPR violation. If they do business anywhere in
Europe they could face major fines if someone were to lodge a complaint with a
national national data protection authority.

And here is a list of national data protection authorities in Europe:
[https://edpb.europa.eu/about-
edpb/board/members_en](https://edpb.europa.eu/about-edpb/board/members_en)

~~~
geocar
I’m not sure I agree.

I have provided GDPR consulting in the UK over the last three years.

What exactly do you think was a violation?

~~~
vanburen
If the boards contained personally identifiable information and then that data
was transferred so that other people could access it, wouldn't that be
considered a data breach?

I guess people affected by this could submit a subject access request to get
their data back.

~~~
geocar
> If the boards contained personally identifiable information and then that
> data was transferred so that other people could access it, wouldn't that be
> considered a data breach?

I believe so, however this doesn't constitute legal advice (etc, etc)

------
wilhil
I hear stories like this all the time - I'm all for "cloud" in certain areas,
but, there are an increasing amount of companies that either don't care or
have short sighted policies.

I really think the future needs to look more at "master" accounts with
Azure/AWS and similar services, make it much easier to delegate access to
third parties so that the third party contains the core logic/application but
the data resides fully with your own account.

Data ownership is so important and overlooked by so many people who want an
easy life and want to forget physical servers to look after.

------
cassalian
I am far from a lawyer, so would someone with a better understanding of the
law explain to me why this wouldn't potentially violate laws around trade
secrets?

If someone uses a 'personal' email for setting up their business' trello
account (including what could be categorized as trade secrets); and at some
point in the future, they added a different companies domain to their account
as a secondary login; and then Trello hands everything over to that other
company; how isn't that a violation of trade secrets?

------
bearer_token
Imagine this from the other perspective:

1\. You use Trello to track work with your team.

2\. You invite your team to use Trello using corporate email accounts.

3\. Someone leaves the company. You decommission their corporate email.

4\. Five years later, you find out that person still has access to all of your
work trello boards.

At this point, I'd be flipping my shit and threatening to sue Trello.

Trello's response would be: sorry, the employee associated a 2nd personal
account.

This would be unacceptable from a corporate access control perspective!

~~~
crooked-v
> Five years later, you find out that person still has access to all of your
> work trello boards.

That's not how it works and not how it has worked.

It used to work like Github does, where access control to boards is by
account, not by associated email addresses.

------
thdrdt
In most countries whatever job related work you do is owned by your job (even
when you do it at home in your own time).

So never make the mistake to mix private with work.

I don't think Atlassian is to blame here. Maybe they could have communicated
this better to the owner of the account. But if you own an account it does not
mean you own the content if you used it for work.

~~~
mcv
Atlassian is absolutely to blame. You still own the account and any personal
data on it. It's not their to give away to someone else.

If a company thinks they own something on that account, they should address
that with the owner of the account. In court, if necessary. But companies just
seizing your data like that should be illegal, and companies should not enable
it. They certainly shouldn't proactively give your data to someone else.

Note that Youtube is also guilty of similar things, allowing companies to
claim ownership of independent users' original works. There need to be
stronger laws to crack down on such abuses.

------
emmelaich
I've had a similar thing happen. I got the cheap tier for myself.
(first.last@gmail). About the same time, I had a work email
(first.last@example).

For some reason, they listed my cheap tier license under the work email. I
still have no idea how this happened except for maybe laziness by some
Atlassian support person.

------
PerilousD
Trello has been advertising a lot on some podcasts that I listen to and I was
considering using them. Sorry about the problems you are having - good luck
with getting them resolved and thank you for posting this as I just crossed
Trello off the consideration list :-(

------
enesunal
I think this story proofs the saying: Never, ever, ever mix your personal and
professional life.

------
matthewaveryusa
You're a special kind of person if you are concerned about the privacy of your
account and also enable your company's SSO on your account. I don't disagree
that the conclusion of the story is that it sucks, but the moment you meld
your private stuff with your company stuff you're asking for it.

I generally have little sympathy toward people expecting privacy on assets
provided by the company, wether that be hardware or software. If you read your
private email on a corporate asset, or enable sign-on with a corporate
credential, all data can and should be inspected by your corporation. The fact
that companies don't MitM _everything_ is what's surprising.

~~~
shashanktomar
Would you consider changing your opinion given more context
[https://news.ycombinator.com/item?id=22874704](https://news.ycombinator.com/item?id=22874704)

------
awinter-py
oauth is net negative IMO

Convenience is cool, the fact that one or more third parties has control of
your account on the saas service is less cool

also not so hot that it's used for login _and_ information sharing. I had an
experience where I read the oauth permissions carefully on a first login, and
then on a subsequent login the app included contacts in the permission set. I
noticed it too late. Super shady & I'll never use oauth personally again.

------
drtillberg
So next does Google get to dictate ownership of the Trello account, since
there's an @gmail.com login?

------
MrBoomixer
Well this was enough to give me some perspective. Time to clean up and delete
some accounts. Thank you.

------
daengh
Atlassian is starting to remind me of CA. Acquire something, rebrand it, make
it worse.

------
droithomme
What about sending Atlassian a cease and desist order, citing copyright law?
They are not hosting your personal copyrighted content with your permission
any more and have given access of it to unauthorized parties. I think you
should consider seeing an IP lawyer. Since they are not being reasonable and
are forcing you to legal measures, simply restoring your account is
insufficient, you will want a settlement. Each violation of your copyrighted
material might be good for $250,000 in fines.

------
nerdbaggy
Sounds kinda like the users fault, having a corporate and personal email on
the same account. Atlassian probably could put a warning though about the
issues that could arise.

~~~
shashanktomar
I am the user in this case. I understand Atlassian's position in this case but
this is so hard to track over such a long period of time. I left this
workplace almost 5 years back and the account worked fine. Then it suddenly
stopped working without any notification from their side.

~~~
pdonis
_> this is so hard to track over such a long period of time._

But _you_ created the problem in the first place by adding your work email to
an account that had your personal boards in it. By doing that you _gave_ your
employer a means of controlling that account. You basically planted a time
bomb that could go off at some unpredictable time in the future. And it went
off.

~~~
pnw_hazor
Attaching a secondary email to an account does not grant ownership of content
or IP owned by the account holder to an entity associated with the secondary
email. At best it provides evidence that the account holder has [or had] a
relationship with the email domain owner.

Depending on the jurisdiction, if one suffers money damages as a result of the
unapproved transfer Trello or its business clients may be exposed to
liability. Also, I imagine there may be privacy or consumer protection laws
that could apply too even in the absence of money damages.

------
hashkb
This sucks but isn't Atlassians fault. The lesson is of course to never
connect an account you don't own to anything you can't afford to lose.

~~~
shashanktomar
I understand Atlassian's part here. But Atlassian did this on purpose. They
clearly understand the implication and the ownership of accounts, but they
deliberately ignored individual users over big corporate accounts. And in my
case, they didn't even have the courtesy to notify me in any way. I just
stopped working one day leaving all my data unbale to use.

~~~
nerdbaggy
Why would they allow an account with multiple email addresses to login with
the non SSO one? In your case you aren’t malicious but there could be used
maliciously

\- add your person email

\- get fired and login with that email and now have all the data

~~~
toomuchtodo
I would argue that the "right" course of action is to immediately require
human intervention when an SSO email is added to an account (or an existing
account with an email address, such as a startup "going big league", becomes
SSO managed), so that account ownership issues are resolved at that point in
time by the parties with ownership interest, not Atlassian having to do so.

------
gumby
I think atlassian’s position is correct here, sad to say. They had to make a
branch cut and i don’t think the other arm would be safe for them (company
stuff leaked to a private account). Of course that stuff was _already_ leaked,
but I think the liability would fall on Atlassian if the company count delete
that stuff.

Don’t connect your personal stuff to your work stuff. That’s messed me up more
than once — lesson learned, painfully.

~~~
Wowfunhappy
The user's account contained a secondary email address from five years ago.
The user probably didn't even remember it was still on their account.

Should you lose your account over that?

~~~
javagram
Atlassian sent me an email earlier this year warning that all @company.com
accounts were about to be converted to corporate accounts and that I had a
month to opt out. (I did not opt out, because my @company.com Trello account
was intended for use with my company)

This person’s warning email probably ended up in spam.

In general I’m not sure the best way Atlassian could have handled this. The
recent upgrade to move @company.com accounts into having a better security
posture and control by the administration of the company does make sense.

Perhaps the person’s account should have just been disabled entirely until
they removed either their personal email or @company.com email from the
account to choose which way they wanted to go... That might have been the best
solution to both protect corporate security and also the individual.

~~~
jamiewildehk
IMO they should handle secondary emails differently to primary emails. Some
sort of in your face warming when you login to trello before the migration may
be appropriate.

~~~
Wowfunhappy
Just to be fair/clear, I meant "secondary email" in terms of how the user
treated it, ie they weren't actively using it log in and presumably didn't
know it was still there.

As far as I'm aware, Trello didn't actually have one email marked as more
important in any way. Although they absolutely should have.

I still think Atlassian should have been able to predict this situation, and
should not have considered it acceptable.

