It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Personal gmail account claimed by SSO, can't login anymore.

My login to trello is with my personal gmail account. With the new SSO login screen, as soon as I enter my gmail address, it redirects me to my previous company sso page (which i left 5 years ago btw). The email address is clearly @gmail.com. It being claimed by an SSO without my consent is extremely scary. Now I am completely locked out of my account. I have raised a support request, but have not heard back. Anyone facing the same issue?

18 answers

Seems like an unethical approach by Atlassian. Someone can start with a personal account then get it hijacked by a corp just by having another login?

What if there are TWO enterprise accounts associated with the same account, along with the personal?

"Since Acme has claimed the domain that you're using as one of your saved email credentials, and they have recently enforced SSO for all Trello users in their domain, this means your Trello account is now managed by the Trello Enterprise Acme by way of their SSO enforcement."

^^ No. Not "by way of their SSO enforcement." But by way of Atlassian's half-baked policy that allows an enterprise account to take over a user's personal intellectual property.

It is unacceptable to enforce a policy like this without specifically ALSO enforcing that the enterprise company MUST be specified as the owner of the SPECIFIC BOARDS subject to the SSO-control policy. If it were specific boards, this would be perfectly acceptable. This "borg" like approach that lets an enterprise claim an entire user identity means users DO NOT truly have multiple logins, and that functionality should not even be allowed, if Atlassian cannot be bothered to provide a UI to specify which parent entity (enterprise versus individual user) owns which assets accessible within a single user's login space.

I'm not a lawyer, but I do know a little about international privacy regulation, and Atlassian may find themselves the wrong side of the law here. The detail will obviously be key, but the rights of acme corporation do not necessarily overrule the legal rights of the OP. In addition, if the OP finds themself unprotected by virtue of their geography (in the EU their personal rights would currently protect them, in the US maybe not), then it might be interesting to here whether the action taken here constitutes theft?! Someone would need to check the terms, but I'm guessing Atlassian doesn't own your content, you do, and they merely host it.

Like # people like this

For those who are curious, this was the communication in email thread.


My Reply:
Thanks for getting back to me on this. This is a very bizarre situation. I do not understand a few things here.

Support Team: I've taken a look at your account, and ultimately, the problem is that the email address of your former employer was still attached to the Trello account.

Me: How can a former employer email address be attached to my account? My email was discontinued as I left my workplace a long time back and I have never used that email address. I am very sure I never used it to log in to my account.


Support Team: Because the email address was still on the account, your employer identified it as an account that they should own, and ownership of this Trello account was transferred to your former employer, so no changes can be made to the account, and the company owns that account.

Me: As it is very evident from my login email id, that this account is not owned by the company, wasn't it even considered appropriate to contact me on my email id before transferring the account. How can a company own a private account even if the domain mismatch? How is it not a violation of my privacy terms?

Support Team: Given the account ownership, that's not something that we can do on our end, unfortunately. We can release your personal email which would allow you to create a new account in Trello.

Me: This clearly means I will lose all my data (which is a lot) on my actual account. Looks like it is not a viable solution.

Support Team: In case of any further questions please reach out to the [Comany Name] support team using [Trello support email for comany].

Me: The email to this address bounce back, it is not even active. I am kind of baffled by this situation. Trello is one of my primary tools for organizing information and holds a lot of personal data. Can you please help me resolve this as soon as possible.

Support Team Reply

Thank you for your reply. I also noticed your post in our Community forum - I'll follow up on the thread there, as well, just in case there are other users who might be in the same situation as you are. The answer I'm providing is the same for any Trello user who has an email address on their account that is owned by a Trello Enterprise with enforced SSO.
Right now, you Trello account has 2 email addresses saved as credentials. One of them is your gmail email address and one of them is the email address owned by your former employer, ACME.
I understand your perspective, that having your personal email on file means something - however, the ACME email address is currently on your Trello account as a saved credential. Regardless if the email address still exists right now or not, the email with the ACME claimed domain is on your Trello account as a saved credential. This is the crux of the situation. The ACME Trello Enterprise has enforced SSO, meaning any Trello user with one of their emails as a saved credential must log in with ACME SSO, even if the user also has a personal email address as a saved credential. The reason for this is because The Enterprise has claimed the ACME domain, and therefore, ownership of the Trello accounts containing their credentials, which is something Trello's terms allow Enterprises to do. If you can't log in with their SSO because you no longer have valid credentials with their IdP, I'm afraid you cannot log into the Trello account.
If the company Enterprise Admin consented, then we could remove the Enterprise association from your Trello account, but that's something you'd need to explore with them, if they'd be willing to do that. It's not an uncommon request for Enterprises to hear from former employees in this situation. The support email [Company Trello Support Email] was provided to us by the ACME team, and I'm sorry to hear you got a bounce-back from it. We may recommend to reach out to their HR team, or perhaps try to get connected to a one of the Trello Enterprise admin through any contacts you may still have at the company.
From the Trello support side, we cannot remove the ACME email from your Trello account, nor can we release your account from the Enterprise SSO association. I know that is frustrating for you, and I'm sorry for the inconveniences you've faced in trying to reach ACME about this. If you end up getting in touch with an Enterprise Admin from ACME and they say it's okay for us to remove your account from Enterprise SSO on this thread, we can do that. Without the authorization of an Enterprise Admin, the only option from the Trello support side is to remove your gmail email address from the account so that you can create a new Trello account with it. This would mean that the content within the existing account containing the ACME email address cannot be accessed unless you were to log in with ACME SSO.
If you would like us to remove your gmail email address from the account, you're welcome to request that in a reply anytime.
We'll also be glad to comply with an Enterprise Admin from ACME if they would like to comment on this thread.
Thank you for your understanding, Shashank. Please let me know if you have any additional Trello questions.

Here is a relevant discussion on Hacker News

I got an email on my woek email by Trello, saying that my work email is associated to my account. I have only Gmail email as a Trello account. I don't know why they are saying my work email is attached to my account. How to check? and remove it? Does they read the content and if I write the company email ID anywhere as a text, they will do this?

4 votes

Hey Shashank,


I wanted to follow-up on this Community thread after speaking with you about this topic via email. To protect your privacy, I'm obfuscating the real name of the company in question. Let's call them Acme in this post.

Right now, your Trello account has 2 email addresses saved as credentials. One of them is your gmail email address and one of them is the email address owned by your former employer, Acme.

Since Acme has claimed the domain that you're using as one of your saved email credentials, and they have recently enforced SSO for all Trello users in their domain, this means your Trello account is now managed by the Trello Enterprise Acme by way of their SSO enforcement. Now, any Trello user with one of their emails as a saved credential must log in with Acme SSO, even if the user also has a personal email address as a saved credential. 

If the Acme Enterprise Admin consented, then we could remove the Enterprise association from your Trello account, but that's something the Trello team can't make a decision on - it must come from the Enterprise Admin.

I know it's a frustrating situation, and I'm sorry that we don't have more options to present in terms of workarounds. (The only work around without Enterprise Admin involvement would be for Trello to remove your personal email from your existing account so that you can create a new Trello account.)

If you end up getting in touch with an Enterprise Admin from the company, forward them our 1:1 email thread. If they approve for us to remove your account from their Enterprise SSO connection, please have them comment on our ongoing email thread and we'll be glad to move forward after that.

​Thank you for your understanding, Shashank. Please let me know if you have additional questions with regard to Trello Enterprise SSO enforcement, or anything else.

I am lucky that my account was still logged into my phone. After a tedious work, I have moved my documents to another tool.

It is very evident from the reply that Atlassian favors corporate accounts over individuals, which is unethical from my perspective given individual accounts are the ones behind the success of all such startups. Above all this, they didn't even have the courtesy to notify me in any way before handing over my data to someone else.

I am happily moving away from Trello.

Like # people like this

Dear Atlassian,

You are taking an unethical and poorly considered position here. I hope to see a correction in the near future.

Like # people like this

Atlassian, you took a personal account and handed over control of it to a company merely because at some point it had a company-branded email address associated with it as a secondary email. Do you even realize how ridiculous and unprofessional it looks to the rest of the internet that you did this?

Like # people like this

I know it is easy to see Atlassian at fault here to favour corporate. But Why an employee use Personal Email with Corporate Email? If it is personal keep it personal. If you own a business you understand that employee steal data in this very manner. I am not saying everyone is thief or bad guy. I have been employee of a corporate before. And I use to manage corporate data. It was hard without enforcing such stuff. 

My suggestion is never mix personal and corporate information in one account. Else you bring such issues always. 

Like # people like this

I will try to set some context here. I created my personal account long before Trello was acquired by Atlassian. It did not have any SSO at that point and the login was with username and password. At some point, while working on a side project and to share it with a teammate, I attached a secondary email to my account and created few boards under it. This email was my companies email @Company.com

The multiple account login used to work the same way it works for github now. The boards were very clearly labeled under the email/username they were created and clearly had the ownership well defined. As soon as I left the company and my email was disabled, all the boards under that email disappeared from my account. This was expected and kept using my primary email (i always used to login with my username) and completely forgot about an attached secondary email (which anyways is now deactivated). Fast forward 5 years with tons of personal boards under this account, one morning it stopped working without any notification (yes i revised my spam to be sure about it) with all my data gone.

Like # people like this

@archergod Consider the case of long-term part-time contract work. Someone could easily have a half-dozen different email addresses all used for internal communications with different companies. Even keeping a "strictly professional" account, someone could have all their work locked away by Atlassian because a company they intermittently do contract work for turned on SSO.

Like # people like this

@shashanktomar "I am lucky that my account was still logged into my phone."  Do you mean that after this "security" measure was put in place, you were still logged in using the gmail account from another device?  Months later?

Like Regaerd likes this

Welp this was a final nudge for me with atlassian. Moved all my private repos (that is all my repos) to a different service.

Mind you this was not the only reason for me to leave, but even the glimmer of chance that one of my former employers would somehow be able to claim ownership of all my private stuff is pretty terrifying to me - aside of course from it being 100% illegal (at least on EU terms).

And the response of ''sorry bro it's not our problem now" is beyond outrageous. This is your client, it's your own god damn responsibility to solve this. If you need to reach out to some of your other clients in order to fix what you messed up, you should bend over backwards and do that.

Like # people like this

@John StephensI can confirm that the account is logged in my phone right now and I can access all my boards. This move from Atlassian could have saved everyone lots of pain if it was not a half baked solution.

Like # people like this

@shashanktomar Wow, luck be with you.  We jumped ship from Atlassian a while ago...can't even remember which half-baked solution sealed the deal.

Like # people like this
areinking I'm New Here Apr 15, 2020

@Štěpán_TesařI think I'll be following suit. I also have a couple contracting emails attached to my account and don't want this to happen to me.

Like Wyatt Rich likes this

This is a wildly inappropriate action. Accounts that belong to different teams should either require the SSO login before accessing any team data, or should send a merge request that the account owner has to accept while logged in. Enterprises should have the option to request merges and request SSO logins for data, and disable access to any account that doesn't comply. Stealing is not a permission that should be granted to enterprise accounts.

Sometimes an email is shared between companies (like if one user interacts with boards at multiple companies), or between a user and a company. The correct service action is to wall off enterprise data without an enterprise login. Handing over an account with data that doesn't belong to that company is illegal.

You are now at least an accomplice in IP theft and/or corporate espionage. What if his former company is now furiously copying his data? Granting them access to it is wrong regardless of if they're using that access. You own distribution rights to an entity's data solely as far as it is needed to serve that data to the members of the different teams. Seizing the data of one entity and handing it to another while blocking access to the owning entity is theft.

It'd be one thing if you admitted to technical difficulties and worked with him to resolve it. Instead you've asked him to request a the new owner to hand back what was stolen by you. Frankly, this whole thing is a legal minefield and I'd not be the least bit surprised if you get sued over it. Because at this point, you deserve it. You've piled on error after error and refuse to assist or accept responsibility for the mistake. And you're liable for the value of all the data in his account.

Good job on allaying fears about data and services hosted by Australian companies. First we were worried about the Australian government stealing data. Now we have to keep an eye out for every enterprise user on the site. Now I've got to make steps to save my valuable data before you give it away to the first bidder.

Like # people like this
4 votes

Needs resolving, this is concerning and will consider a different tool if there's not an appropriate update.

 

Where in the Trello interface can I even check what other email addresses are associated with my account?

I also could not find. did you

For Enterprise customers, what happens when two email addresses from different companies are added to a single account? If both companies claim the account, who does it belong to?

3 votes

I have this exact same issue and not able to get in touch with my ACME corp. This just sucks for people like me who used Trello with personal and professional email addresses.

2 votes

This is really bad form by Atlassian!

Does Atlassian even care about this thread? This is the most viewed thread on Trello forum and second overall on Atlassian but looks like they just want to ignore it.

Probably not, until someone realizes IP has potentially been transferred to unauthorized parties.  Actually, the receiver probably has the highest liability here.  Hopefully your account didn't included any protected information that would cause problems for your former employer.

I got hit by the same thing, We "fixed" it by the whole company shutting down all atlassian stuff for an hour, changing the email on my personal account, and then setting up atlassian integration again. Support told me twice that it was impossible before we did that. Good luck getting your old employer to do the same :(

Guess I am not storing any personal info on Atlassian cloud anymore.

It's outrageous.

The exact same thing happened to me; this is the response I got from the Trello support:

I've taken a look at your account, and ultimately, the problem is that the email address of your former employer was still attached to the Trello account. In their recent account claim, this triggered your employer to claim ownership of the Trello account, which is something Trello's terms allow Enterprises to do. Because the email address was still on the account, your employer identified it as an account that they should own, and ownership of this Trello account was transferred to your former employer, so no changes can be made to the account, and the company owns that account.

It sounds like you have personal content in this account that you want access to? Given the account ownership, that's not something that we can do on our end, unfortunately. If the company consented, they could remove your account from all company teams, and then we could remove the Enterprise association, but that's something you'd need to explore with them, if they'd be willing to do that.

0 votes

#ohtrellno

Please Atlassian - I'm looking for more reasons NOT to recommend your products to anyone any more.

I didn't think you'd be able to come up with a new way to do it so soon after the last issue, but you have done yourself proud again!

 

It's time for a new ticket management startup to replace the gap left by Atlassian's new corporate overlords.

Their SSO implementations are pretty embarrassing. If you have an identity provider, and want to use it for Atlassian, you pay the same fee as if you were using their identity provider. 

 

 

so inappropriate !

0 votes

Same thing happened to me and Atlassian support told me to go pound sand. I had a personal Trello account created years before I worked for the employer in question. Employer adopted Trello on a trial basis (thanks to me and and a colleague who pushed for it as being a good tool.) 

I added my work email as a secondary thinking it was just for notifications and whatnot. I assumed permissioning was handled by boards and teams so it was fine to use a singular account for everything.

A year or so after I left my employer, they signed up with Atlassian enterprise and boom, my entire Trello account was handed over to them. 

Atlassians model of tying legal ownership to any email on the account depending on convenience is terrible and looks like it hasn’t just screwed just me over. I’m also pretty sure it is illegal under Canadian privacy law since this sort of account takeover isn’t provided for in the Terms of Service. However, the only way to enforce that would be legal action which honestly isn’t worth the effort unless something bad happens to the data misappropriated.

I don’t recommend Atlassian products to my employers and clients anymore and usually caution the smaller ones away.

0 votes

Also happened to me. Personal main email on a Trello account I've probably had for 8 years now but I added a work address at one point and forgot to remove it and Trello told me there was nothing they could do from their end. 

So tried contacting people from my previous employers, from like 5 years ago, and the support request just got lost in the endless red tape of Big Blue. 

Similar situation, glad I was logged in on my phone and was able to create a new user and give me control back of all my boards.

However after reading this I do realise that I should probably delete my old account, which is a shame, if I am concerned about my privacy.

Conferred with a user on Twitter who I found with the same issue and he just made a new Trello account unfortunately.

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Trello

Develop a new Habit during Lockdown

If you had to thrive a new habit during a lockdown, what would it be? Trello

834 views 7 3
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you