top of page

Trello API Security Breach: 15 Million Email Addresses Leaked in Massive Data Exposure

Updated: Oct 11

CVE Image for report on Trello Data Breach

Executive Summary

On July 16, 2024, a significant data breach involving Trello was reported by BleepingComputer, where over 15 million email addresses were leaked on a hacking forum. The breach was orchestrated by a threat actor known as 'emo', who exploited an unsecured Trello REST API to collect the data. This incident underscores the critical need for robust API security measures to protect sensitive user information. The leaked data poses a substantial risk for phishing attacks and doxxing, emphasizing the importance of user awareness and enhanced security protocols.

Technical Information

The breach was executed by exploiting a vulnerability in the Trello REST API, which allowed unauthenticated access to public information based on Trello ID, username, or email address. The threat actor, 'emo', utilized this unsecured endpoint to map email addresses to Trello accounts. By inputting a list of 500 million email addresses into the API, 'emo' successfully compiled profiles for over 15 million users. The data collected includes non-public email addresses and public profile information such as full names, which can be leveraged for malicious activities like phishing and doxxing.

The vulnerability in the Trello API highlights a common security oversight in API management, where endpoints are left exposed without proper authentication mechanisms. This breach serves as a stark reminder of the potential consequences of inadequate API security, as it allows threat actors to harvest sensitive information with relative ease. The incident also raises concerns about the broader implications of API vulnerabilities, as they can be exploited to access and misuse vast amounts of data across various platforms.

Exploitation in the Wild

The leaked email addresses are particularly valuable for phishing campaigns, where attackers can craft convincing emails to deceive users into revealing sensitive information such as passwords or financial details. Additionally, the data can be used for doxxing, where threat actors link email addresses to individuals and their aliases, posing a significant privacy risk. The availability of such data on hacking forums increases the likelihood of its misuse by various malicious actors.

APT Groups using this vulnerability

While specific Advanced Persistent Threat (APT) groups have not been directly linked to this particular breach, the nature of the data and the method of exploitation are consistent with tactics employed by APT groups targeting sectors such as finance, healthcare, and government. These groups often leverage similar vulnerabilities to gain unauthorized access to sensitive information for espionage or financial gain.

Affected Product Versions

The breach specifically affected users of Trello, a project management tool owned by Atlassian. The vulnerability was present in the Trello REST API, which allowed unauthenticated access to public information. Atlassian has since addressed the issue by securing the API to prevent further unauthorized access.

Workaround and Mitigation

To mitigate the risks associated with this breach, organizations should prioritize API security by implementing authentication mechanisms and rate limiting to protect against abuse. Users should be educated about the risks of phishing and encouraged to use multi-factor authentication to safeguard their accounts. Additionally, regular security audits and vulnerability assessments can help identify and address potential weaknesses in API configurations.

References

BleepingComputer Article: Email addresses of 15 million Trello users leaked on hacking forum (https://www.bleepingcomputer.com/news/security/email-addresses-of-15-million-trello-users-leaked-on-hacking-forum/)

Atlassian's Response: Atlassian confirmed the misuse of the Trello REST API and has implemented changes to prevent further unauthorized access.

Rescana is here for you

At Rescana, we are committed to helping our customers navigate the complex landscape of cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform provides comprehensive solutions to identify, assess, and mitigate vulnerabilities, ensuring the security of your digital assets. For any questions or further assistance regarding this report or other cybersecurity concerns, please reach out to our team at ops@rescana.com.

27 views0 comments

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page