Over 15 million Trello email addresses leaked by threat actor

A threat actor has leaked over 15 million email addresses linked to Trello accounts, collected using an unsecured API earlier this year. Trello, an online project management tool owned by Atlassian, is widely used by businesses to manage tasks and organize data.

In January, cybersecurity news outlet BleepingComputer reported that a threat actor known as ‘emo’ was selling profiles for 15,115,516 Trello members on a popular hacking forum. These profiles included non-public email addresses associated with the accounts and publicly available information.

Atlassian did not initially confirm how the data was stolen, but emo disclosed to BleepingComputer that it was collected via an unsecured REST API. This API allowed developers to query public information about a profile based on the user’s Trello ID, username, or email address. Emo compiled a list of 500 million email addresses and used the API to identify those linked to Trello accounts, ultimately creating profiles for over 15 million users.

Recently, emo released the list of 15,115,516 profiles on the Breached hacking forum for eight site credits, equivalent to $2.32. Emo explained in the forum post that Trello had an open API endpoint that allowed unauthenticated users to map email addresses to Trello accounts. Initially, emo planned to use emails from databases like ‘com’ (OGU, RF, Breached) but continued to gather data until stopping out of boredom.

Atlassian responded to the breach, stating, “Given the misuse of the API uncovered in this January 2024 investigation, we made a change so that unauthenticated users/services cannot request another user’s public information by email. Authenticated users can still request publicly available information on another user’s profile using this API. This change strikes a balance between preventing misuse of the API while keeping the ‘invite to a public board by email’ feature working for our users. We will continue to monitor the use of the API and take any necessary actions.”

Unsecured APIs have become popular targets for threat actors, who exploit them to combine non-public information with public profiles. In 2021, threat actors used an API to link phone numbers to Facebook accounts, affecting 533 million users. In 2022, a similar breach occurred on Twitter, where phone numbers and email addresses were linked to millions of users. More recently, an unsecured Twilio API was used to confirm the phone numbers of 33 million Authy multi-factor authentication app users.