Atlassian’s Trello Data Breach: 15M Emails Leaked

Highlights:

• Atlassian confirmed that the issue involved exploiting an API that allows users to invite members or guests to public boards via email.
• Emo, the hacker or group behind the January data leak, claimed to have obtained the information through a REST API.

Atlassian’s Trello has experienced a data breach, resulting in the exposure of names and emails from over 15 million users on BreachForums.

According to Bleeping Computer, the breach first came to light in January when a threat actor known as “emo” offered Trello user profiles for sale. While much of the information is publicly available, the Trello data also includes nonpublic email addresses linked to each account.

In January, the hacker or hacking group known as Emo claimed that the data was collected using a REST application programming interface. This API allowed developers to retrieve public information about a profile using a user’s Trello ID, username, or email address.

Emo claims to have assembled a list of 500 million email addresses and utilized the API to verify their association with Trello accounts. The resulting account information was then combined to create profiles for over 15 million users.

Atlassian has confirmed these details, with a spokesperson stating that the issue involved the misuse of an API that allowed users to invite members or guests to public boards via email address. Once the misuse was discovered in January, the API access was modified to prevent unauthenticated users and services from requesting another user’s public profile by email.

Although the data does not contain passwords, the inclusion of email addresses makes it susceptible to targeted phishing attacks, which could deceive users into revealing more personal information.

The fact that Emo accessed the data through an unsecured API endpoint raises concerns about API security. Mayur Upadhyaya, CEO of API security company APIContext Inc., stated in an interview that the “leak of 15 million Trello user emails underscores the crucial role of API security.”

“To safeguard user data, APIs that access personal details must be secured with strong authentication and enforce least privilege principles. Every API call should be tied to the requesting user, preventing unauthorized data access. Additionally, continuous monitoring, regular audits, penetration testing sand API gateways with rate limiting are essential for proactive threat detection and mitigation. By following these best practices, organizations can minimize the risk of API breaches and protect user privacy, especially when the applications are becoming so dependent on APIs, with API calls making up over 80% of all web traffic,” Upadhyaya said.