A threat actor has put approximately 15 million people at risk by linking their private email addresses with public data from their Trello accounts.
A hacker with the alias “emo” recently took to a popular hacking forum, where they offered a database of more than 15 million Trello members for sale.
“Contains emails, usernames, full names and other account information. 15,115,516 unique lines.” beepcomputer quoted the ad. “I'm selling a copy to anyone who wants it, send me a message on the site or on Telegram if you're interested.”
Abuse APIs
Trello has now made a statement, saying that its systems were not breached and that the information in the database was public and deleted.
“All evidence points to a threat actor testing a pre-existing list of email addresses with publicly available Trello user profiles,” Trello owner Atlassian said in a statement.
“We are conducting a thorough investigation and have not found any evidence of unauthorized access to Trello or user profiles.
However, this might not be entirely correct. Emo told the media that they used a publicly exposed API to link email addresses to public Trello profiles.
The API was designed to allow developers to query public information on people's profiles, based on Trello IDs and usernames, but emo discovered that emails can also be queried this way, effectively associating user information. public profile to an email address that would otherwise remain. hidden. The API was publicly accessible, the hacker added. It now requires users to log in, but a free account will suffice.
The problem here is that hackers can now know which email address was used to create a Trello account, information that can be abused in highly sophisticated, targeted phishing attacks. Knowing that Trello is a project management board used primarily by professionals only makes it more dangerous.
