Malware
15 Million Trello Users’ Email Addresses Exposed on Hacking Forum: Protect Your Account Now
Discover how 15 million Trello users’ email addresses were leaked on a hacking forum, posing a significant security risk. Learn about the breach’s origins and how Trello is responding to protect users’ privacy and data. Stay informed on the latest online security threats.
A Massive Trello Data Leak: What Happened?
A hacker recently released over 15 million email addresses linked to Trello accounts. These were collected back in January by exploiting an unsecured API. As a popular online project management tool, Trello is used by businesses worldwide to organize data and tasks into boards, cards, and lists.
The Story Behind the Trello Profile Sales
In January, we discovered that a hacker known as ’emo’ was selling profiles of 15,115,516 Trello members on a well-known hacking forum. Although most of the data in these profiles is public information, each profile also contained a non-public email address linked to the account.
At the time, Atlassian, the company behind Trello, did not confirm how the data was obtained. However, emo stated that it was collected through an unsecured REST API, allowing developers to query for public information about a profile based on a user’s Trello ID, username, or email address.
Using a list of 500 million email addresses, emo fed the API to determine which emails were associated with a Trello account. The resulting account information was then combined with the email list to create member profiles for over 15 million users.
The Data Leak Goes Public
Recently, emo shared the entire list of 15,115,516 profiles on the Breached hacking forum for a mere eight site credits (worth $2.32). In a forum post, emo explained, “Trello had an open API endpoint that allows any unauthenticated user to map an email address to a Trello account.”
What does this leak include? Email addresses and public Trello account information, such as the user’s full name. This data can be used in targeted phishing attacks to steal more sensitive information, like passwords. Emo also mentioned that the data can be used for doxxing, enabling hackers to link email addresses to people and their aliases.
Atlassian’s Response
Atlassian confirmed to us that the information was collected through a Trello REST API that was secured in January. In a statement, they said:
“Enabled by the Trello REST API, Trello users have been enabled to invite members or guests to their public boards by email address. However, given the misuse of the API uncovered in this January 2024 investigation, we made a change to it so that unauthenticated users/services cannot request another user’s public information by email. Authenticated users can still request information that is publicly available on another user’s profile using this API. This change strikes a balance between preventing misuse of the API while keeping the ‘invite to a public board by email’ feature working for our users. We will continue to monitor the use of the API and take any necessary actions.”
❖ Atlassian
Unsecured APIs: A Growing Concern
Unsecured APIs have become a popular target for hackers, who abuse them to combine non-public information (like email addresses and phone numbers) with public profiles. In 2021, threat actors abused an API to link phone numbers to Facebook accounts, creating profiles for 533 million users.
Twitter suffered a similar breach in 2022, with hackers exploiting an unsecured API to link phone numbers and email addresses to millions of users. This data allowed for the unmasking of people who post anonymously on social media, posing a significant privacy risk.
Recently, an unsecured Twilio API was used to confirm the phone numbers of 33 million Authy multi-factor authentication app users.
Many organizations try to secure APIs using rate-limiting instead of authentication via an API key. However, hackers can simply purchase hundreds of proxy servers and rotate the connections to constantly query the API, rendering rate limiting useless.
Stay Informed and Stay Safe
As the world of cybersecurity evolves, it’s crucial to stay informed and take the necessary precautions to protect your data. We’re here to help you navigate this complex landscape and keep you updated on the latest threats. Don’t hesitate to contact us for more information, and keep returning for more insights on cybersecurity.