A hacker is selling 15 million Trello account emails and profiles online, after collecting them using an unsecured API.
First spotted by BleepingComputer, a hackers going by the name ’emo’ began selling 15 million Trello profiles in January. The hacker told the outlet that the data “was collected using an unsecured REST API that allowed developers to query for public information about a profile based on users’ Trello ID, username, or email address.”
Although Trello parent Atlassian failed to provide comment in January, the company acknowledged to BleepingComputer this week how the data was exfiltrated.
“Enabled by the Trello REST API, Trello users have been enabled to invite members or guests to their public boards by email address. However, given the misuse of the API uncovered in this January 2024 investigation, we made a change to it so that unauthenticated users/services cannot request another user’s public information by email. Authenticated users can still request information that is publicly available on another user’s profile using this API. This change strikes a balance between preventing misuse of the API while keeping the ‘invite to a public board by email’ feature working for our users. We will continue to monitor the use of the API and take any necessary actions.”
❖ Atlassian
Most of the information in the profiles is publicly available, but the information does contain non-public email addresses.
All-in-all, the Trello incident is not one of the most devastating cybersecurity breaches, but does continue to demonstrate the risks associated with unsecured APIs.