Hacker Starts Selling Stolen Trello Information

More than fifteen million email addresses associated with Trello accounts were put up for sale on hacking forum Breached after being stolen in January using an unsecured REST API.

The leaked data includes email addresses and public Trello account information, including the user’s full name. Malicious actors can then use this information in phishing attacks, looking for sensitive information such as passwords. Atlassian owns the Trello platform.

“This highlights the need for a comprehensive mapping of the application threat surface. In today’s era of distributed architectures, such as cloud computing and microservices, it’s easy to overlook issues like improper authentication on a single API call,” said Ray Kelly of Synopsys Software Integrity Group. “Given the complexity and interconnectivity of modern systems, a single overlooked endpoint can become a significant vulnerability. It’s only a matter of time before malicious actors identify and exploit these weaknesses for malicious purposes.”

“Using Trello’s REST API, Trello users were able to invite members or guests to their public forums via email,” Atlassian said in a statement about the hack. “However, given the abuse of the API discovered during this January 2024 investigation, we have made a change to the API so that unauthenticated users/services cannot request another user’s public information via email. Authenticated users can still request publicly available information on another user’s profile using this API. This change strikes a balance between preventing abuse of the API and maintaining the “invite to public forum via email” functionality for our users. We will continue to monitor API usage and take any necessary action.”

Leave a Comment