15 million Trello users at risk after unknown hacker uses proxy service to scrape data — emails, usernames, full names and other accounts info are available for sale on hacking forum
Hacker associated public Trello profile data with private emails
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
A threat actor has put some 15 million people at risk by managing to link their private email addresses with public data from their Trello accounts.
A report fromBleepingComputerhas revealed how a hacker with the alias “emo” took to a popular hacking forum recently, where they offered a database of more than 15 million Trello members for sale.
“Contains emails, usernames, full names and other account info. 15,115,516 unique lines,” the ad stated. “Selling one copy to whoever wants it, message on me on-site or on telegram if you’re interested.”
Abusing APIs
Trello has now came forward with a statement, saying its systems were not breached, and that the information in the database was public and scraped.
“All evidence points to a threat actor testing a pre-existing list of email addresses against publicly available Trello user profiles,” Trello’s owner, Atlassian, said in a statement.
“We are conducting an exhaustive investigation and have not found any evidence of unauthorized access of Trello or user profiles.
However, this might not be entirely correct. Emo toldBleepingComputerthat they used a publicly exposed API to link email addresses to public Trello profiles.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
The API was designed to allow developers to query for public information on people’s profile, based on Trello IDs and usernames, but emo found that emails can also be queried this way, effectively associating public profile information to an email address which would, otherwise, remain hidden. The API was publicly accessible, the hacker added. Now, it requires users to log in, but a free account will suffice.
The problem here is that hackers can now know which email address was used to create a Trello account, information which can be abused in targeted and highly sophisticatedphishingattacks. Knowing that Trello is a project management board used mostly by professionals only makes it more dangerous.
More from TechRadar Pro
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Windows PCs targeted by new malware hitting a vulnerable driver
Dangerous Android banking malware looks to trick victims with fake money transfers
Apple iMac 24-inch M4 (2024) review: the best, and most colorful, all-in-one computer levels up