Over fifteen million email addresses associated with Trello accounts have been put up for sale on the Breached hacking forum after they were stolen in January using an unsecured REST API.
The leaked data includes email addresses and public Trello account information, including the user’s full name. Bad actors can then use this information in phishing attacks, looking for sensitive information such as passwords. Atlassian owns the Trello platform.
“This highlights a need for comprehensive threat surface mapping of applications. In today’s era of distributed architectures, such as cloud computing and microservices, it is easy to overlook issues like improper authentication on a single API call,” said Ray Kelly from Synopsys Software Integrity Group. “Given the complexity and interconnectivity of modern systems, a single overlooked endpoint can become a significant vulnerability. It is only a matter of time before threat actors identify and exploit these weaknesses for malicious purposes.”
“Enabled by the Trello REST API, Trello users have been enabled to invite members or guests to their public boards by email address,” reads an Atlassian statement on the hack. “However, given the misuse of the API uncovered in this January 2024 investigation, we made a change to it so that unauthenticated users/services cannot request another user’s public information by email. Authenticated users can still request information that is publicly available on another user’s profile using this API. This change strikes a balance between preventing misuse of the API while keeping the ‘invite to a public board by email’ feature working for our users. We will continue to monitor the use of the API and take any necessary actions.”
