Elsewhere you wrote that the opposite scenario happened to you. You tainted your personal account with a work email. This person is worried about tainting their personal email with a work account.
It's evident from their reply that they do not care about a primary or a secondary email. In my case the company email was secondary, in this case it is primary.
From the comments, there is some confusion about why did i attach my personal email to a company account. That was not the case, let me clarify it.
I created my personal account long before Trello was acquired by Atlassian. It did not have any SSO at that point and the login was with username and password. At some point, while working on a side project and to share it with a teammate, I attached a secondary email to my account and created few boards under it. This email was my companies email @company.com
The multiple account login used to work the same way it works for github now. The boards were very clearly labeled under the email/username they were created and clearly had the ownership well defined. As soon as I left the company and my email was disabled, all the boards under that email disappeared from my account. This was expected and kept using my primary email (i always used to login with my username) and completely forgot about an attached secondary email (which anyways is now deactivated). Fast forward 5 years with tons of personal boards under this account, one morning it stopped working without any notification (yes i revised my spam to be sure about it) with all my data gone.
Wow, their response is atrocious. It's basically just "Yes, that's right, there was a second email address attached to your account and the owner of the domain for that email set up SSO, so they now own your account. Try asking them nicely for it."
I started disentangling myself from Atlassian products a few years ago but I was still using Trello. Clearly that's going to have to stop.
Instead, I have a strict separation rule for these kind of services.
No work stuff is hosted in my personal accounts, and work accounts are always created with a separate e-mail. I can just remove myself from everything work related without touching anything personal.
While I was working with a small group, we had our own domain and e-mail addresses as a perk. My relationship went sour with the lead of the project and, as a power move, she disabled my e-mail and other accounts related to that group, guessing that a lot of stuff is connected to this e-mail (since the domain was prestigious in that circles) and doing so will hurt me a lot.
Since only things related to the group/work was on that e-mail, literally nothing happened. I just broke off cleanly from the group and, a move designed to hurt me brought bliss to the parting process.
Meanwhile on Facebook you cannot create a page for a business(say you work in the marketing department) without linking your PERSONAL account to it. Absolutely fucking insane.
That's a completely different thing. One, Facebook is based around the concept of a real person being behind just about everything - when you administer a group, you can see which person posted the individual company/page posts. Two, nothing can happen to your personal account based on the actions of the company page or other people associated with it.
> One, Facebook is based around the concept of a real person being behind just about everything - when you administer a group, you can see which person posted the individual company/page posts.
So do it the same way every other website on the planet does it: have an organization and users who have roles within that organization. It's beyond aggravating the way they have them so strongly linked.
> Two, nothing can happen to your personal account based on the actions of the company page or other people associated with it.
.... I'm guessing this hasn't happened to you. Yes, they will block your personal account for "certain" infractions committed by the business manager. Nearest I can tell it depends on how you set up the business. If you set up the business FB page first, your personal account is considered primary so all blame flows to it. If you set up the business manager first, and THEN set up the page using the business manager (NOT the page creator), then it won't affect your personal account; and if you invite someone, no, that person's account won't (generally) be affected either.
Except that FB always drives you to create the business PAGE first and LATER suggests the business manager... thus increasing the likelihood of blocks. It's pathological. Especially because you can blocked for nothing other than their AI misidentifies something in an ad or a post, kills all your accounts, and then you have to beg to get them back.
Point is, that relationship shouldn't exist in the first place.
I have separate personal and work Trello accounts. After seeing your report, I checked to make sure they're still separate. They are but each have access to each others' boards.
I have yet to figure out how to deactivate that.. but since they're separate users (vs secondary email), I don't think the same will happen. But who knows? Not me.
There is no shortage of atrocious examples, like this one, that prove that people need to take digital sovereignty seriously. Our data and our interactions should not be intermediated by some digital feudalistic lord, without any recourse when something goes wrong.
Atlassian is not the only one who wrecked login by implementing SSO across all their instances.
I really don’t recommend using in-app dual logins (for example Gmail’s dual login), and stick to using separate Chrome profiles or Firefox profiles, so that none of the cookies are shared. Even with that, I’ve had surprises with my mobile phone number being the only shared information between two Google Ads accounts, and Google mixing my data, but avoiding sharing cookies is really important.
That is also what I recommend my employees. « You can use Facebook or Youtube at work, but not in the same Chrome profile. »
> It would have been better if Mozilla had added a better interface to profiles.
Profiles in Chrome and their ease of use (Cmd+Shift+M to open a new window in a different profile) is the primary reason I still use Chrome over Firefox. I have a Personal, a Work, and a Development profile. The development profile is where I install dev extensions like React Devtools, Redux Devtools, etc. because they require full access to all sites in order to function. I don’t do regular web browsing with devtools installed. These tools seem trustworthy, but why risk giving them access to everything I do on the web?
I’ve tried Firefox Containers and can’t find the same power and ease of use Chrome Profiles have.
I see your point now, I was preferring containers because I have this scenario where I want the data separation it provides without the need of reinstalling add-ons, especially on a temporal container/profile. The shared window can be nice on some particular moments where I don't need to have a lot of pages opened and are continuously changing from tab to tab.
Thinking over about you said, now I think I like things from the two worlds, maybe better interface to containers or even better UI for profiles, with options to overcome the containers (maybe should be better for the average user instead of having both).
For the time being, I prefer to have both options (don't have it now) but I think both can be improved.
Upside of Chrome profiles: Use a bright red theme for prod sysadmin profile, and blue for work. So you never type « p... » on your work profile by mistake... Don’t laugh, usage is widespread.
I do exactly this too: I have 3 distinctly different themes for the three profiles I use. A split second glance at the color of the tab bar informs me which profile I'm working with.
I'm not znpy so I don't know why they don't like containers.
But I prefer profiles myself, as I have different extensions in different profiles and I get the two completely separate instances of Firefox, while containers are just separate tabs instead.
I don't think containers are awful though, they are just less useful for my use case than profiles.
I sometimes have issues with the profiles too though. If I have both profiles running concurrently and I click a link from a different application, I get an error that "Firefox is already running" and it freezes up the window with my primary profile.
If you dig around, there is probably a value in `about:config` that lets you tell firefox to always show the profile selector first. Otherwise, add `-P` to the argument fields in your desktop shortcut.
Extensions, mostly. You have to be real careful which extensions you install because extensions run at the window level (mostly) rather than the container level and see across/through containers.
Also things like auto-fill (including password suggestions); if you like that being very specific to context, then you'd want different profiles rather than containers.
I've found I've been using a mixture of profiles and containers, myself, to balance ease of access (containers are fast to launch and can auto-launch per specific sites) versus better extension control and auto-fill/etc separation.
(ETA: As for finger-printing, both containers and profiles are equal on the most common finger-printing: cookies and localStorage. Neither protects you well from IP Address tracking, which is a growing concern, but not the approach of at least the big players like Google or Facebook, yet.)
True, but by using profiles you don't need any extra extensions, it comes built-in in both Chrome and Firefox, you can simply start it with providing the `--profile <path>` flag. Correct me if I'm wrong, but some IT environments also lock down installing extensions from addons.mozilla.org, so the profiles tip would be applicable to more people.
You can just use --profile <name> -- with only the name of the profile.
Also, you can backup/restore/move profiles independently of each other.
Also, you can have different network settings for different profiles (not sure you can do that with containers).
For example I have a profile whose network connections are such that traffic is forwarded through a socks proxy (implemented via ssh). That's basically an ultra-simple vpn. I can then (via a script) automatically launch the tunnel open firefox with the appropriate profile and then exit firefox and gracefully stopping my tunnel.
I remember it used to be a native feature but I'm fairly certain they split it out into a separate addon after a while. Or did they move it back into core?
Partly because Mozilla is continuing to iterate/experiment on the container UI and leaving that to extensions is a way to keep that laboratory open. They seem worried the UI may be too confusing if it was on by default for a lot of users. (Like the era decades ago when -ProfileManager was on-by-default in some installs.)
Mozilla even has two official extensions, trying to explore the space of ease of use/user expectations. In addition to the main multi-container extension they offer Facebook Container which is an extension designed to be more entry level but for folks worried about privacy. (It does what it says on a tin, creates only one additional container, names it Facebook, and automatically moves all Facebook tabs and pretty much only Facebook tabs into it.)
We had the same with Amazon, we created a new Amazon account but shared the telephone number. Support sent emails to the first account concerning the second account.
I have stopped giving out phone numbers to services. I can get throwaway email addresses (eg anonaddy.me, which is great) but burner numbers incur a significant time and cost, so I just don’t use services that demand one now.
Google Accounts fall into this category these days. Possible I’ll deprecate my use of those, as I don’t use gmail or drive any longer.
I had to use GDPR to force them to delete one of my accounts because my account got stuck in the registration where I could not complete the registration and could not delete the registration either. First time I used GDPR for anything. Support did not understand the situation, I waked through them the issue with screenshots, nothing.
Serious question as someone who does not use any "cloud" services: Did you not have a backup of your data in Trello? Orthogonal to the issue of account ownership, on which I stand firmly in your favour, did you not have a backup of the data? What would happen if Trello went bust, or somehow otherwise lost your data?
> In this case, I did not even use the company email. I was my personal gmail.
From the Atlassian community page it looks like the Trello account in question was linked to both your personal gmail account and an email account belonging to your former employer. Was that Trello account only for work items for that former employer? Or was it a mixture of both work items for that employer and personal items for you? Or was it just your personal account that happened to have your work email as an alternate email address?
If it was just a work Trello acccount with your former employer, then I'm not sure why you would need access to that Trello account now that you're no longer with that employer. Atlassian is giving you the option of disconnecting your personal gmail from that account so you can create a new one if you want a personal Trello account.
If it was a mixture of work and personal items in the Trello account, then the obvious lesson learned for the future is to not do that.
If it was just your personal Trello account, I don't see why your previous employer would have a problem with telling Atlassian that it's not their account and that the email address in their domain can be removed.
In any case, it doesn't look to me like this situation is Trello's fault. You say in a comment on the Atlassian community page that "It is very evident from the reply that Atlassian favors corporate accounts over individuals", but I don't see that they are favoring either party here. In fact they are refusing to favor either party, by refusing to make a decision--which email the account "really" belongs to--that they should not be making. This is something the two parties involved--you and your former employer--need to work out. It's not something Trello should be deciding. They have no way of knowing which party--you or your former employer--is the "right" owner of this account.
I will try to set some context here. I created my personal account long before Trello was acquired by Atlassian. It did not have any SSO at that point and the login was with username and password. At some point, while working on a side project and to share it with a teammate, I attached a secondary email to my account and created few boards under it. This email was my companies email @company.com
The multiple account login used to work the same way it works for github now. The boards were very clearly labeled under the email/username they were created and clearly had the ownership well defined. As soon as I left the company and my email was disabled, all the boards under that email disappeared from my account. This was expected and kept using my primary email (i always used to login with my username) and completely forgot about an attached secondary email (which anyways is now deactivated). Fast forward 5 years with tons of personal boards under this account, one morning it stopped working without any notification (yes i revised my spam to be sure about it) with all my data gone.
> At some point, while working on a side project and to share it with a teammate, I attached a secondary email to my account and created few boards under it. This email was my companies email
This makes it seem like it's the third of the options I mentioned (personal account which happens to have a work email as an alternate email). But what you say a little further on (quoted below) makes it clear that it's the second: you used the same Trello account for both personal and work items. If the account had access to the company's boards, it's not just your personal account any more. It's a mixed work/personal account (which, as I and others in this thread have said, is not a good idea).
> As soon as I left the company and my email was disabled, all the boards under that email disappeared from my account.
But you apparently didn't remove that company's email from the Trello account. That's water under the bridge now, but in any case it seems like the company ought to be fine with telling Atlassian that you're no longer working for them and the email under their domain can be removed from the account.
What you seem to be wanting, though, is for Atlassian to just go ahead and erase that company's email from the account, or otherwise disconnect that account totally from the company so you can use it again, without any agreement from the company that that's ok. I don't see why Atlassian should do that.
Surely the sensible option would be for Atlassian to allow you to keep all your personal boards and only show the work-email boards if you sign in, or allow you to 'disconnect' from those?
And if this is technically difficult to do (because boards are not obviously linked to email addresses, or whatever), then that's still on them, but also solvable: allow you to remove BigCo email and just not give you access to any BigCo boards.
If you happened to have created a board yourself for BigCo, then that's still available to you. And if that's not acceptable for Atlassian, they should make boards more obviously connected to email addresses. Or something similar.
The equivalent to the current situation would be to allow you to add BigCo email to your personal Drobox account (for ease of logging in), and then remove you from the entire account when BigCo revokes your access. That's extremely unexpected!
And in fact this used to be how it worked. Work boards showed up in a separate section that was clearly defined as enterprise. So my private work boards, team boards, and template boards were there. My family and personal boards were under my username. And it worked like this for years. Sans souci
Not only did they fuck it up. It was implicitly used as a feature. If you can attach multiple email accounts to a service then of course you would attach your work email to it.
The real devious behaviour was assigning your entire account to another entity to manage and without your permission. I've had to create a new account, ask the enterprise account manager to remove my account, and move my cards to another account. I've been using the account for 9 years and created many small integrations. Why would I want to give that up? Now my workflow is broken because the Trello app only allows one login so I have to decide is it going to be work or personal that I'm viewing because I can't do both.
> the Trello app only allows one login so I have to decide is it going to be work or personal that I'm viewing because I can't do both.
If you're on Android, use Island or another app to set up a local Work account; you can now install a second instance of any app under the same profile, and log it into a different account. I'm unaware if iOS has similar.
> If you can attach multiple email accounts to a service then of course you would attach your work email to it.
Why? To me this is an obvious mistake. If you need to have sole control over your access to your account, then you should never attach an email to it that you don't control. You don't control your work email.
> Surely the sensible option would be for Atlassian to allow you to keep all your personal boards and only show the work-email boards if you sign in, or allow you to 'disconnect' from those?
To me the sensible option is to have separate accounts for work and personal, and to never mix them. That way you're never even tempted to make the mistake of attaching an email you don't control--your work email--to an account that has your own stuff in it that you need to have sole control over.
I am the user in this case.
When I linked the accounts almost 6-7 years ago, Trello was not part of Atlassian and there was no SSO in place. At some point, they introduced it, but still, the regular way of login was working. There was no notification from there side that it will stop working abruptly.
The company email address in this case what @comany.com and the personal one was @gmail.com. This is how they handed over all the accounts ending with @company.com to my previous company.
When you did this, was the Trello account used for just your work with that employer? Or for both work and your personal stuff? Or just your personal stuff?
[Edit: I see from your response elsewhere in this discussion that it's the second of the options above. I'll respond further in that subthread.]
I understood you were the user, and that what Atlassian was way too cold and lazy on their part.
but again, to play devil's advocate, Gmail do offer professional account part of the G Suite. Without knowing your work history, it would be difficult to know if the Gmail address is also not a "professional one".
On another hand do you think notification would have solved the issue ? And wouldn't a more malicious employee just delete all the boards if they did not part with their previous company on good term.
Obviously I don't know everything from the story. And my assertions are very far from the truth. I am trying to understand what would motivate such a decision (beside the obvious Atlassian is a heartless money-grabbing company that rot everything it touches)
The ownership of the board is by account. In this case, all the company accounts were anyways invisible to me as my login email was personal gmail account and I only had the permissions to delete board owned under my account.
I am the user in this case. I understand Atlassian's position in this case but this is so hard to track over such a long period of time. I left this workplace almost 5 years back and the account worked fine. Then it suddenly stopped working without any notification from their side.
> this is so hard to track over such a long period of time.
But you created the problem in the first place by adding your work email to an account that had your personal boards in it. By doing that you gave your employer a means of controlling that account. You basically planted a time bomb that could go off at some unpredictable time in the future. And it went off.
Your reasoning feels truly bizarre. He added that work email as a SECONDARY mail. As soon as it stopped working, he could no longer access the boards associated with that particular mail, only his personal ones that were NOT associated with it. His personal boards continued NOT being associated with that work email for years afterwards, and he never in any way indicated, asked for, or allowed that they should be.
HE didn't “plant a time bomb”; Atlassian ripped him off, plain and simple.
(Oh, sure, you could argue that he “planted a time bomb” by giving Atlassian the means — that email address — to rip him off... But please don't. That would be like arguing that a rape victim “planted a time bomb” be dressing too provocatively.)
Attaching a secondary email to an account does not grant ownership of content or IP owned by the account holder to an entity associated with the secondary email. At best it provides evidence that the account holder has [or had] a relationship with the email domain owner.
Depending on the jurisdiction, if one suffers money damages as a result of the unapproved transfer Trello or its business clients may be exposed to liability. Also, I imagine there may be privacy or consumer protection laws that could apply too even in the absence of money damages.
May be you can say that "Trello handed over the only account you had to the previous company".
While I understand, the pain - I sympathize: please note that no permissions management system (or identity and authentication is so perfect that every case can be handled perfectly). As others say, you should have verified spent a bit of time to cleanup - because at the end - you lose time/money/whatever.
In the worst case, any company or even govt can just say sorry or some credits.
Even if the company is to blame 99 % you need to take 1 % responsibility.
Every year, audit yourself for things like this. I compulsively check my own security... security is a frame of mind. Delete unused oauth apps, dead emails. Flipside - offboard people quicky and completely when they leave your team.
I understand Atlassian's part here. But Atlassian did this on purpose. They clearly understand the implication and the ownership of accounts, but they deliberately ignored individual users over big corporate accounts. And in my case, they didn't even have the courtesy to notify me in any way. I just stopped working one day leaving all my data unbale to use.
> They clearly understand the implication and the ownership of accounts
Clearly understand what "implication"? From what I can see, all Atlassian knows is that there is an account with two email addresses attached to it. They have no way of knowing which email belongs to the "right" owner of the account. That's something the two parties involved--the two owners of the two emails--need to work out between them, and then give Atlassian a common response.
Last time I used Trello they had a relatively extensive concept of organizations and board ownership, while they might not have an idea about which email is the fictitious canonical owner of the account this still falls on Atlassian.
They created this system that allowed AcmeCorp to change a setting and subsequently lock an ex employee out of non-organisation data. They know which of this accounts content is related to the organisation, they allow using a single identity for both private and corporate use cases at the same time. That's a use case their user facing interface actively encouraged. When I left the last company using Trello that distinction was pretty clear cut when I removed ties to the organisation.
The linked thread reads like deliberate design decisions that turned out to be user hostile in favour of AcmeCorp. You don't have to assign a correct owner. Their data model seems pretty clear cut on which parts of an account are owned by which identity. If they develop a system that allows me to login via a private and a corporate email, have a data model that allows them to determine data ownership for the two, and yet decide to give one of those identities leverage over the other - it's okay to at least blame them partially. There's three parties involved here, none of them did everything correctly but only one had negative impact from this.
> they allow using a single identity for both private and corporate use cases at the same time. That's a use case their user facing interface actively encouraged.
This seems to me to be the root of the problem, because to me this is obviously a bad idea and should be actively discouraged, if not prohibited altogether. If Atlassian, or some predecessor owner of Trello, did actively encourage this, then I agree they bear some culpability.
I guess that's one of those decisions that made sense at the time. iirc the organisation part was an afterthought after people started using it for these use cases, they now seem to have account switching in their app that would cater to the more modern use case.
In theory I actually prefer this data model, one identity (because that's the physical reality) and a sane perspective model on who owns what data this identity has access to. But sadly nobody seems to have time to get that right in a mixed B2C/B2B product.
You actually were lucky that this didn't bite you until now. Not fair to blame your old job for waiting this long to force mfa.
Edit: you can't say what they did deliberately or not. They're doing what makes the most sense for their business. Almost no support team I know would give you access to this account.
Why would they allow an account with multiple email addresses to login with the non SSO one? In your case you aren’t malicious but there could be used maliciously
- add your person email
- get fired and login with that email and now have all the data
I would argue that the "right" course of action is to immediately require human intervention when an SSO email is added to an account (or an existing account with an email address, such as a startup "going big league", becomes SSO managed), so that account ownership issues are resolved at that point in time by the parties with ownership interest, not Atlassian having to do so.
The ownership of data is attached to the email. As soon as i left my workplace, none of the data created under my company account was visible to me. On top of that, they launched SSO support lately. It was not SSO when I connected my accounts years back.
