Exposed Trello API Leads to Data Breach
Trello has experienced a significant data breach, exposing the names and email addresses of over 15 million users. On January 23, 2024, it was revealed that these email addresses were leaked and put up for sale on a hacking forum. The breach was made possible by exploiting an exposed Trello API, allowing the association of email addresses with public Trello profiles.
Incident Details
A threat actor, known as 'emo,' leveraged a publicly accessible API endpoint provided by Trello. This endpoint allowed querying for public profile information using an email address without requiring authentication. Using a list of 500 million email addresses, the actor identified those associated with Trello accounts and compiled profiles containing email addresses, usernames, full names, and other account information.
The hacker then advertised this dataset, consisting of 15,115,516 unique lines, on a popular hacking forum, offering to sell a single copy of the data to interested parties.
Method of Exploitation
API Misuse: The Trello API was designed to allow developers to integrate Trello services into their applications. One endpoint, meant to query public profile information using a Trello ID or username, could also be queried using email addresses.
Scraping: The threat actor used this capability to test email addresses against the API and retrieve associated public profile information.
Proxy Servers: To bypass the API's rate limits, the hacker employed multiple proxy servers to maintain a constant querying rate.
Company Response
Atlassian, Trello's parent company, confirmed that the data was not accessed through unauthorized means but rather scraped from public profiles using the API. In response to the incident, the API endpoint has been modified to require authentication, ensuring that only authenticated users can request public profile information by email. This change aims to balance the prevention of API misuse with maintaining functionality for legitimate users .
Potential Risks
Phishing Attacks: The exposure of email addresses linked to public profiles can facilitate targeted phishing campaigns, where attackers impersonate Trello or related services to extract sensitive information from users.
Identity Theft: Associating email addresses with public profiles increases the risk of identity theft and other forms of cyber fraud.
Recommendations
Enhanced API Security: Companies should implement robust authentication and authorization mechanisms for APIs to prevent unauthorized data scraping.
Rate Limiting: Effective rate limiting and monitoring can help detect and mitigate unusual activity patterns indicative of scraping attempts.
User Awareness: Users should be educated about the potential risks of data breaches and advised to remain vigilant against phishing attempts.
Conclusion
The Trello data breach underscores the importance of securing APIs and monitoring for potential misuse. By implementing stronger security measures and raising user awareness, companies can mitigate the risks associated with such incidents and protect their users' data.
.svg){kind=small}
.svg){kind=small}
