Atlassian Corp.-owned list-making application Trello has suffered a data breach with names and emails of over 15 million users shared on BreachForums.

Bleeping Computer reports that the data related to a breach that first came to light in January when a threat actor known as “emo” first offered the Trello user profiles for sale. While much of the data is public information, the Trello data also includes nonpublic email addresses associated with each account.

Emo, the hacker or hacking group offering the data in January, said that the data was collected using a REST application programming interface that allowed developers to query public information about a profile based on a user’s Trello ID, username or email address.

Emo claims to have created a list of 500 million email addresses and fed it into the API to determine if they were linked to a Trello account. The list was then combined with the returned account information to create profiles for over 15 million users.

Atlassian has confirmed the details, with a spokesperson saying that the issue involved exploiting an API that allowed users to invite members or guests to public boards by email address. Once the misuse was discovered in January, the API access was changed so that unauthenticated users and services could not request another user’s public profile by email.

Though the data does not include passwords, the emails make the data ripe for use in targeted phishing attacks that can be used to trick users into handing over more personal details.

The fact that emo was able to access the data through an unsecured API endpoint raises questions about API security. Mayur Upadhyaya, chief executive officer at API security company APIContext Inc., told SiliconANGLE that the “leak of 15 million Trello user emails underscores the crucial role of API security.”

“To safeguard user data, APIs that access personal details must be secured with strong authentication and enforce least privilege principles,” Upadhyaya said. “Every API call should be tied to the requesting user, preventing unauthorized data access. Additionally, continuous monitoring, regular audits, penetration testing and API gateways with rate limiting are essential for proactive threat detection and mitigation. By following these best practices, organizations can minimize the risk of API breaches and protect user privacy, especially when the applications are becoming so dependent on APIs, with API calls making up over 80% of all web traffic.”

Image: SiliconANGLE/Ideogram