A risk actor has launched over 15 million electronic mail addresses related to Trello accounts that had been collected utilizing an unsecured API in January.
Trello is a web-based mission administration device owned by Atlassian. Companies generally use it to prepare information and duties into boards, playing cards, and lists.
In January, BleepingComputer reported {that a} risk actor often called ’emo’ was promoting profiles for 15,115,516 Trello members on a preferred hacking discussion board.
Whereas virtually all the information in these profiles is public data, every profile additionally contained a private electronic mail deal with related to the account.
Whereas Atlassian, the proprietor of Trello, didn’t verify on the time how the information was stolen, emo informed BleepingComputer it was collected utilizing an unsecured REST API that allowed builders to question for public details about a profile primarily based on customers’ Trello ID, username, or electronic mail deal with.
emo created a listing of 500 million electronic mail addresses and fed it into the API to find out in the event that they had been linked to a Trello account. The checklist was then mixed with the returned account data to create member profiles for over 15 million customers.
At this time, emo shared your complete checklist of 15,115,516 profiles on the Breached hacking discussion board for eight web site credit (value $2.32).
“Trello had an open API endpoint that enables any unauthenticated consumer to map an electronic mail deal with to a trello account,” emo defined within the discussion board publish.
“I initially was solely going to feed the endpoint emails from ‘com’ (OGU, RF, Breached, and many others.) databases however I simply determined to maintain going with emails till I used to be bored.”
The leaked information contains electronic mail addresses and public Trello account data, together with the consumer’s full identify.
This data can be utilized in focused phishing assaults to steal extra delicate data, akin to passwords. emo additionally says the information can be utilized for doxxing, permitting risk actors to hyperlink electronic mail addresses to folks and their aliases.
Atlassian confirmed to BleepingComputer in the present day that the data was collected by means of a Trello REST API that was secured in January.
“Enabled by the Trello REST API, Trello customers have been enabled to ask members or company to their public boards by electronic mail deal with. Nevertheless, given the misuse of the API uncovered on this January 2024 investigation, we made a change to it in order that unauthenticated customers/providers can not request one other consumer’s public data by electronic mail. Authenticated customers can nonetheless request data that’s publicly accessible on one other consumer’s profile utilizing this API. This alteration strikes a stability between stopping misuse of the API whereas retaining the ‘invite to a public board by electronic mail’ function working for our customers. We are going to proceed to watch the usage of the API and take any obligatory actions.”
❖ Atlassian
Unsecured APIs have change into a preferred goal for risk actors, who abuse them to mix private data, akin to electronic mail addresses and telephone numbers, with public profiles.
In 2021, risk actors abused an API to hyperlink telephone numbers to Fb accounts, creating profiles for 533 million customers.
In 2022, Twitter suffered the same breach when risk actors abused an unsecured API to hyperlink telephone numbers and electronic mail addresses to hundreds of thousands of customers.
As many individuals publish anonymously on social media, this information allowed for the unmasking of those folks, posing a big privateness threat.
Extra just lately, an unsecured Twilio API was used to substantiate the telephone numbers of 33 million Authy multi-factor authentication app customers.
Many organizations try to safe APIs utilizing rate-limiting slightly than by means of authentication through an API key.
Nevertheless, risk actors merely buy tons of of proxy servers and rotate the connections to continuously question the API, making the speed limiting ineffective.