SECURITY
SECURITY
SECURITY
15M email addresses stolen from Atlassian’s Trello shared on hacking forum
Atlassian Corp.-owned list-making application Trello has suffered a data breach with names and emails of over 15 million users shared on BreachForums.
Bleeping Computer reports that the data related to a breach that first came to light in January when a threat actor known as “emo” first offered the Trello user profiles for sale. While much of the data is public information, the Trello data also includes nonpublic email addresses associated with each account.
Emo, the hacker or hacking group offering the data in January, said that the data was collected using a REST application programming interface that allowed developers to query public information about a profile based on a user’s Trello ID, username or email address.
Emo claims to have created a list of 500 million email addresses and fed it into the API to determine if they were linked to a Trello account. The list was then combined with the returned account information to create profiles for over 15 million users.
Atlassian has confirmed the details, with a spokesperson saying that the issue involved exploiting an API that allowed users to invite members or guests to public boards by email address. Once the misuse was discovered in January, the API access was changed so that unauthenticated users and services could not request another user’s public profile by email.
Though the data does not include passwords, the emails make the data ripe for use in targeted phishing attacks that can be used to trick users into handing over more personal details.
The fact that emo was able to access the data through an unsecured API endpoint raises questions about API security. Mayur Upadhyaya, chief executive officer at API security company APIContext Inc., told SiliconANGLE that the “leak of 15 million Trello user emails underscores the crucial role of API security.”
“To safeguard user data, APIs that access personal details must be secured with strong authentication and enforce least privilege principles,” Upadhyaya said. “Every API call should be tied to the requesting user, preventing unauthorized data access. Additionally, continuous monitoring, regular audits, penetration testing and API gateways with rate limiting are essential for proactive threat detection and mitigation. By following these best practices, organizations can minimize the risk of API breaches and protect user privacy, especially when the applications are becoming so dependent on APIs, with API calls making up over 80% of all web traffic.”
Image: SiliconANGLE/Ideogram
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
