Email addresses of 15 million Trello users leaked on hacking forum

A threat actor has released over 15 million email addresses associated with Trello accounts that were collected using an unsecured API in January.

Trello is an online project management tool owned by Atlassian. Businesses commonly use it to organize data and tasks into boards, cards, and lists.

In January, BleepingComputer reported that a threat actor known as ’emo’ was selling profiles for 15,115,516 Trello members on a popular hacking forum.

While almost all of the data in these profiles is public information, each profile also contained a non-public email address associated with the account.

While Atlassian, the owner of Trello, did not confirm at the time how the data was stolen, emo told BleepingComputer it was collected using an unsecured REST API that allowed developers to query for public information about a profile based on users’ Trello ID, username, or email address.

emo created a list of 500 million email addresses and fed it into the API to determine if they were linked to a Trello account. The list was then combined with the returned account information to create member profiles for over 15 million users.

Today, emo shared the entire list of 15,115,516 profiles on the Breached hacking forum for eight site credits (worth $2.32).

“Trello had an open API endpoint that allows any unauthenticated user to map an email address to a trello account,” emo explained in the forum post.

“I originally was only going to feed the endpoint emails from ‘com’ (OGU, RF, Breached, etc.) databases but I just decided to keep going with emails until I was bored.”

Caption

The leaked data includes email addresses and public Trello account information, including the user’s full name.

This information can be used in targeted phishing attacks to steal more sensitive information, such as passwords. emo also says the data can be used for doxxing, allowing threat actors to link email addresses to people and their aliases.

Atlassian confirmed to BleepingComputer today that the information was collected through a Trello REST API that was secured in January.

“Enabled by the Trello REST API, Trello users have been enabled to invite members or guests to their public boards by email address. However, given the misuse of the API uncovered in this January 2024 investigation, we made a change to it so that unauthenticated users/services cannot request another user’s public information by email. Authenticated users can still request information that is publicly available on another user’s profile using this API. This change strikes a balance between preventing misuse of the API while keeping the ‘invite to a public board by email’ feature working for our users. We will continue to monitor the use of the API and take any necessary actions.”

❖ Atlassian

Unsecured APIs have become a popular target for threat actors, who abuse them to combine non-public information, such as email addresses and phone numbers, with public profiles.

In 2021, threat actors abused an API to link phone numbers to Facebook accounts, creating profiles for 533 million users.

In 2022, Twitter suffered a similar breach when threat actors abused an unsecured API to link phone numbers and email addresses to millions of users.

As many people post anonymously on social media, this data allowed for the unmasking of these people, posing a significant privacy risk.

More recently, an unsecured Twilio API was used to confirm the phone numbers of 33 million Authy multi-factor authentication app users.

Many organizations attempt to secure APIs using rate-limiting rather than through authentication via an API key.

However, threat actors simply purchase hundreds of proxy servers and rotate the connections to constantly query the API, making the rate limiting useless.