Skip to main content

I recently found two boards on my account that weren’t mine and six users I hadnt added. One user I had added to view a board a year ago, closed down the board, but didn’t knew I also needed to remove her as a user. When I found the security glitch, I removed all the users she had added from the account. They then proceeded to request access, which I denied. Later they somehow reaccessed the account and their boards. I then removed all external link access, as well as the users, once again. They no longer can access their boards.

The external users have since claimed this was unintentional access to my account. My question to the Miro community is how this could’ve actually been unintentional, and how after I removed them as users they were still able to reaccess the account (before I removed all link access).

Adding that this is a free account.

 

@Ashley T - Usually I would go into more detail, but this replies comes to you using my mobile device at 4:55am from a hotel room (I am travelling to a pre-Distributed '22 IRL meet up in Austin, TX!).

From what I am reading, these folks were likely able to join your team using a link generated from the Invite to board and link feature. Have a read of this article - I would also suggest disabling this feature.

When you do need to add a member to your team, I instead recommend that you go to the team profile settings page, and then Users and Invite new members:

 

Lastly, when you do want to share a link to a board in View-only mode only, you can use the Visitors feature:

https://help.miro.com/hc/en-us/articles/7045408248594-Visitors-guests-and-members

Note: Anyone with is link can also make a full copy of your board to their account.

 

Thanks Robert. Much appreciated. 
 

So sounds like even after I removed them as users, the original invite link (associated with me) from a year ago was still active and granted them access, which is how they re-accessed the account. 

@Ashley T - It does sound like that may have been the reason why.

Once you change the "invite to board and team" setting from "can view/edit/etc. to "No access", or you completely shut off the feature from your team profile/permissions settings, the link you previously sent will never work again.

Reply


Terms & Conditions