15 million Trello users have been exposed in a data breach – here’s what you need to know

Logo of Atlassian, parent company of workflow platform Trello, pictured on a smartphone with branding in background.
(Image credit: Getty Images)

The email addresses of around 15 million users of Atlassian's task management tool Trello have been leaked on the dark web. 

Trello is an online project management tool that allows users to organize data and tasks into boards, cards, and lists, and is used by more than 3,000 companies.

In January this year, it was reported that a cyber criminal going by the name of 'emo' was offering a database including the emails, usernames, full names, and other account information of users for sale on a dark web forum.

"Selling one copy to whoever wants it, message me on-site or on Telegram if you're interested," the post read.

However, the data was only dumped yesterday. According to Hackread.com, it includes user IDs, usernames and full names, profile URLs, status information, various settings and limits and associated board memberships, along with more than 15 million email addresses.

The hacker claims to have gained access through an API endpoint that could be accessed without logging in, to allow software to work together in distributed systems. This API allows developers to search for public information about a profile based on users' Trello IDs, usernames, or email addresses.

Emo exploited the REST API by creating a list of 500 million random email addresses and checking to see if they were associated with Trello accounts.

"Trello had an open API endpoint that allows any unauthenticated user to map an email address to a Trello account," emo said. 

"I originally was only going to feed the endpoint emails from ‘com’ (OGU, RF, Breached, etc.) databases but I just decided to keep going with emails until I was bored. This database is very useful for doxing, find enclosed email address matched to full names and aliases matched to personal email addresses."

Trello incident highlights lingering API security flaws

Atlassian said it has made changes to prevent unauthorized users from requesting other users' public information by email address, and that it will continue to monitor usage of the API and take any necessary actions.

However, according to Jason Kent, hacker in residence at security firm Cequence, users need to be on their guard.

"The Unholy Trinity of API security is alive and well. API endpoints not being tracked or authenticated, and containing sensitive data, all seem to be at the heart of these types of breaches," he said. "Grabbing emails from the system puts context with the emails."

As a result, users should be extremely cautious about any emails purporting to come from the company, and should avoid clicking on any links.

RELATED WHITEPAPER

"The other thing is some work on the attackers side. They have to find a matching password. The attackers will look at old breach data for the email and try that password first, then they will begin validation," he noted.

"Once they line up credentials from one of these dumps they sell them to an even more nefarious crowd that will carry out further attacks. Organizations need to understand their footprint and how they can be attacked further to validate these types of data dumps."

The attack is similar to Twitter's 2022 breach, in which an unsecured API allowed hackers to take over business and verified accounts linked to affected apps.

Last year, a report from Salt Security highlighted a 400% increase in unique API attackers in the previous six months, with 17% of organizations saying they'd suffered a data breach over the past year as a result of security gaps in APIs. 

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.