A significant data breach has compromised over 15 million email addresses associated with Trello accounts, collected through an unsecured API earlier this year.
Trello, a project management tool owned by Atlassian, is widely used by businesses to manage tasks and organize data using boards, cards, and lists. In January 2024, a threat actor known as ’emo’ began selling profiles of 15,115,516 Trello members on a popular hacking forum. While much of the information in these profiles is public, the inclusion of non-public email addresses has raised concerns.
Details of the Breach
The breach involved exploiting a Trello REST API that allowed unauthenticated users to query public profile information based on a user’s Trello ID, username, or email address. Emo compiled a list of 500 million email addresses and used the API to identify those associated with Trello accounts, creating a database of over 15 million profiles. This data was then shared on the Breached hacking forum for a nominal fee.
Potential Risks
The leaked data includes email addresses and public Trello account information, such as full names. This information can be used for targeted phishing attacks to steal more sensitive information, like passwords. Additionally, it poses a risk for doxxing, where threat actors could link email addresses to individuals and their online aliases.
Atlassian’s Response
Atlassian confirmed that the data was collected through a Trello REST API, which has since been secured. Changes have been made to prevent unauthenticated users from requesting another user’s public information via email. Authenticated users can still access public profile information using the API. Atlassian has emphasized their commitment to monitoring the API’s use and implementing further security measures if necessary.
Broader Implications
This breach underscores the importance of securing APIs to prevent misuse. APIs have become a popular target for threat actors, as evidenced by similar incidents involving Facebook and Twitter. Effective measures such as strong authentication, least privilege principles, continuous monitoring, and rate limiting are essential to safeguard user data and mitigate risks.
For those concerned about their exposure, the leaked data has been added to the Have I Been Pwned service, allowing users to check if their email addresses were compromised.