Trello API Abused to Link Email Addresses to 15 Million Accounts

By Lawrence Abrams January 23, 2024 04:31 PM 0

An exposed Trello API allows linking private email addresses with Trello accounts, enabling the creation of millions of data profiles containing both public and private information.

Trello is an online project management tool owned by Atlassian that is commonly used by businesses to organize data and tasks into boards, cards, and lists.

News of the Trello data leak came last week when a person using the alias ’emo’ attempted to sell the data of 15,115,516 Trello members on a popular hacking forum.

“Contains emails, usernames, full names and other account info. 15,115,516 unique lines,” reads the post on the hacking forum.

“Selling one copy to whoever wants it, message on me on-site or on telegram if you’re interested.”

Trello post on the hacking forum

Source: BleepingComputer

While almost all of the data in these profiles is public, the email addresses associated with the profiles are not.

When BleepingComputer contacted Trello about the data leak last week, we were told that it was not collected by unauthorized access to Trello’s systems but by scraping public data.

“All evidence points to a threat actor testing a pre-existing list of email addresses against publicly available Trello user profiles,” Atlassian, the owner of Trello, told BleepingComputer last week.

“We are conducting an exhaustive investigation and have not found any evidence of unauthorized access of Trello or user profiles.

However, it appears that there was more to the story about how the threat actor was able to confirm the email addresses.

Abusing an exposed API

In a conversation with emo, BleepingComputer learned that a publicly exposed API was used to associate email addresses with public Trello