Public account information on more than 15 million Trello users has been leaked online after a threat actor decided to basically give it away on a hacking forum.
In January 2024, a threat actor with the alias ‘emo’ said they collected 15,115,516 email addresses used to register Trello accounts, by feeding more than 500 million emails into an unsecured API, to see which were used for an account on the platform. Besides the email address, the hacker obtained people’s public Trello account information, as well as full names.
Fast-forward roughly half a year later, and the same threat actor is now selling the database on the Breached hacking forum for eight site credits. According to BleepingComputer, that equals $2.32.
Abusing APIs
“Trello had an open API endpoint that allows any unauthenticated user to map an email address to a trello account,” the threat actor said. “I originally was only going to feed the endpoint emails from ‘com’ (OGU, RF, Breached, etc.) databases but I just decided to keep going with emails until I was bored.”
Initially, Trello denied having been breached, and said that the hacker built the database out of public and scraped information. Now, it confirmed that the incident stemmed from an unsecured API:
“Enabled by the Trello REST API, Trello users have been enabled to invite members or guests to their public boards by email address. However, given the misuse of the API uncovered in this January 2024 investigation, we made a change to it so that unauthenticated users/services cannot request another user’s public information by email. Authenticated users can still request information that is publicly available on another user’s profile using this API. This change strikes a balance between preventing misuse of the API while keeping the ‘invite to a public board by email’ feature working for our users. We will continue to monitor the use of the API and take any necessary actions.”
While collecting public information this way doesn’t sound like a particularly dangerous attack, the information can still be used to create convincing phishing emails. That can lead to more destructive compromise, such as password theft, malware deployment, and more.
Trello is a project management platform on which users (mostly businesses) can organize tasks into columns, or cards. The platform allegedly has more than 40 million users.