Trello API Abuse Exposes Sensitive Data of Over 15 Million Users
A critical security flaw in Trello’s API has exposed sensitive user data, linking private email addresses to over 15 million user accounts. This Trello API abuse allowed unauthorized actors to exploit a public API endpoint, associating private emails with public profiles. The breach has raised serious privacy concerns and heightened the risk of phishing attacks targeting Trello users. Atlassian, Trello’s parent company, has since implemented measures to secure the API and prevent future misuse. Here’s a detailed look at the incident and its implications for user security.
The Trello Data Leak Incident
Reports of the data exposure surfaced last week when a hacker, known as ’emo,’ advertised a dataset containing information on 15,115,516 Trello users on a hacking forum. The dataset includes:
- Email addresses
- Usernames
- Full names
- Other account details
Most of the data in these profiles is public, but the linked email addresses are private and should not have been publicly accessible. This merging of private and public information raises significant privacy concerns for Trello users.
“Contains emails, usernames, full names, and other account info. 15,115,516 unique lines,” stated the forum post, inviting potential buyers to contact the hacker via a secure messaging platform.
How the Data Leak Happened: API Misuse
Upon investigation, Atlassian clarified that the breach was not due to unauthorized access to Trello systems. Instead, a public API endpoint was exploited, enabling hackers to query Trello profiles using email addresses.
Key Points of Exploitation:
- Trello’s REST API allows users to integrate external applications and invite others to boards via email.
- The API endpoint inadvertently allowed querying profiles using email addresses without requiring authentication.
- The hacker reportedly used a list of 500 million email addresses to identify matching Trello accounts.
- Trello’s API rate-limiting per IP address was circumvented using proxy servers, enabling continuous querying.
Trello’s Response to the Vulnerability
In response to the incident, Trello made modifications to its API to require authentication for queries involving email addresses. This change prevents anonymous access while maintaining functionality for authenticated users.
Trello’s official statement includes:
“Given the misuse of the API uncovered in this investigation, we’ve made a change to it so that unauthenticated users/services cannot request another user’s public information by email. Authenticated users can still request information that is publicly available on another user’s profile using this API. We will continue to monitor the use of the API and take any necessary actions.”
The Risks: Privacy Breach and Phishing Threats
Although the majority of data exposed is public, linking private email addresses with Trello profiles significantly increases the risk of phishing attacks. Attackers could impersonate Trello in emails or other communications to trick users into revealing sensitive information, such as passwords.
Recommended Actions for Users:
- Check If You’re Affected: Use the Have I Been Pwned service to verify if your email is included in the Trello leak.
- Be Vigilant Against Phishing: Avoid clicking on links in suspicious emails, especially those requesting sensitive information.
- Enhance Account Security: Enable two-factor authentication (2FA) where available and use strong, unique passwords for your accounts.
Conclusion
This incident underscores the vulnerabilities associated with public APIs and highlights the critical need for robust security measures to protect user data. While Trello has addressed the issue by requiring authentication for API queries, users must remain proactive in safeguarding their accounts against phishing attacks and other security threats.
For further details, refer to Trello’s official advisory:
Protecting personal data online is a shared responsibility between service providers and users. As API abuse becomes more prevalent, awareness and vigilance are key to maintaining digital security.