A hacker has publicly released sensitive data for more than 15 million Trello user accounts.
Trello is a popular project management tool that's well-known for its kanban-style list format.
On Tuesday, the private data connected to 15,115,516 Trello user profiles was shared on a popular forum for hackers, as first noticed by the cybersecurity news website Bleeping Computer. It appears that a single hacker discovered a flaw in Trello's system and was able to extract sensitive private user data.
While much of the data connected to a Trello account is public information, not all of it is. By far, the most concerning part of the breach for Trello users is the email address data.
Over 15 million Trello users now have their private email addresses associated with their Trello profiles exposed to the public.
The Trello data breach and subsequent leak can be traced back to earlier this year. Bleeping Computer first noticed in January that the hacker, with the moniker "emo," was selling the Trello data on the hacking forum before providing greater access to it this week.
Both Trello's parent company, Atlassian, and "emo" (the hacker), have since shared more information about how this leak came to be.
According to a forum post by the hacker, they discovered that "Trello had an open API endpoint that allows any unauthenticated user to map an email address to a trello account." In a correspondence with Bleeping Computer, the hacker further explained that once they discovered the flaw, they put together a list of hundreds of millions of email addresses and cross checked them with the Trello accounts in the API. From there, "emo" was able to link those email addresses with Trello accounts and create a user profile for more than 15 million accounts.
Atlassian confirmed the issue with Bleeping Computer in a statement, saying that the Trello REST API was intended to allow Trello users to invite guests to public boards through email. The company has updated the Trello API to preserve this feature while preventing its misuse by bad actors.
"Given the misuse of the API uncovered in this January 2024 investigation, we made a change to it so that unauthenticated users/services cannot request another user's public information by email," Atlassian said in its statement. "Authenticated users can still request information that is publicly available on another user's profile using this API. This change strikes a balance between preventing misuse of the API while keeping the ‘invite to a public board by email’ feature working for our users. We will continue to monitor the use of the API and take any necessary actions."
Fixing the issue is certainly a step in the right direction. Unfortunately, the leaked data that was obtained through this method is still out there. And if one wonders exactly what can be done with this data, "emo" the hacker shared exactly why the Trello leak is useful to bad actors in their forum post.
"This database is very useful for doxing," wrote emo, who explained one can simply match the email address to a full name or alias attached to a Trello account using the stolen data.
Trello users should be aware that this sensitive data is out there.
