HQ/EMEAFind out how we can help your business
An exposed Trello API vulnerability has become the main gateway of a data breach attack that affected about 15 million users.
Trello is a household name in Atlassian’s online project management tool industry. However, it has inadvertently allowed linking private email addresses to user accounts, generating millions of data profiles containing public and personal information.
The news of the Trello data leak emerged when an alleged hacker named ‘emo’ tried to sell the data of 15,115,516 Trello members on a notorious hacking forum. The confirmed information affected by this incident includes emails, usernames, full names, and other account details, forming a substantial data repository. The hacker’s post on the forum claimed, “contains emails, usernames, full names and other account info. 15,115,516 unique lines.”
Atlassian, the owner of Trello, explained that the data leak was not the result of unauthorised access to Trello’s systems. Instead, the scraping of publicly available data caused the leak. In addition, the threat actor tested a pre-existing list of email addresses against publicly accessible Trello user profiles.
A publicly exposed Trello API vulnerability catalyses the apparent data leak.
According to investigations, a publicly exposed Trello API vulnerability played a crucial role in associating email addresses with Trello accounts. Trello provides a REST API for developers to integrate the service into their applications, with an endpoint enabling the retrieval of public information based on Trello ID or username.
However, ‘emo’ discovered it could query the API using an email address, revealing associated public profile information. Subsequently, this threat actor compiled a list of 500 million email addresses and fed them into the API to identify Trello account associations. Despite claims of rate limiting by Trello, the threat actor avoided this by employing proxy servers to rotate connections and query the API continuously. Although the affected entity fortified the API by requiring authentication, it remains accessible to anyone with a free account.
Scraping public data is generally not a significant concern, but linking private email addresses to public profiles heightens the severity of the data leak. This breach raises concerns about potential data misuse, particularly in targeted phishing campaigns where threat actors could pose as Trello representatives to acquire more sensitive information, such as passwords.
The Trello leak is in the ‘Have I Been Pwned’ data breach notification service for those worried about their data. This action lets users review whether their email addresses are among the 15 million leaked accounts.
