Public account details of over 15 million Trello users have been leaked online after a cybercriminal decided to release the information on a hacker forum.
In January 2024, a threat actor going by the alias “emo” said they collected 15,115,516 email addresses used to register Trello accounts by feeding over 500 million emails into an unsecured API to see which ones were used to sign up for an account on the platform. In addition to the email address, the hacker obtained people’s public Trello account details, as well as full names.
Fast-forward about half a year later, and the same threat actor is now selling the database on the Breached hacking forum for eight site credits. According to BleepingComputerthat is equal to $2.32.
Abuse of APIs
“Trello had an open API endpoint that allowed any unauthenticated user to link an email address to a Trello account,” the threat actor said. “I was originally just going to feed the endpoint emails from ‘com’ databases (OGU, RF, Breached, etc.) but I decided to just keep feeding emails until I got bored.”
Trello initially denied that a breach had occurred, saying the hacker had built the database from public and scraped information. Now it has confirmed that the incident stemmed from an unsecured API:
“The Trello REST API allows Trello users to invite members or guests to their public boards via email address. However, given the abuse of the API uncovered in this January 2024 investigation, we have made a change to prevent unauthenticated users/services from requesting another user’s public information via email. Authenticated users can still request information that is publicly available on another user’s profile using this API. This change strikes a balance between preventing API abuse and keeping the ‘invite to a public board via email’ feature working for our users. We will continue to monitor API usage and take action as necessary.”
While gathering public information in this way doesn’t sound like a particularly dangerous attack, the information can still be used to create convincing phishing emails. That could lead to more destructive breaches, such as password theft, malware deployment, and more.
Trello is a project management platform that allows users (mainly businesses) to organize tasks into columns or cards. The platform is said to have over 40 million users.