Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Millions of Trello user accounts leaked online — personal info available for basically nothing, here's what we know

Trello.

Public account information on more than 15 million Trello users has been leaked online after a threat actor decided to basically give it away on a hacking forum. 

In January 2024, a threat actor with the alias ‘emo’ said they collected 15,115,516 email addresses used to register Trello accounts, by feeding more than 500 million emails into an unsecured API, to see which were used for an account on the platform. Besides the email address, the hacker obtained people’s public Trello account information, as well as full names.

Fast-forward roughly half a year later, and the same threat actor is now selling the database on the Breached hacking forum for eight site credits. According to BleepingComputer, that equals $2.32.

Abusing APIs

"Trello had an open API endpoint that allows any unauthenticated user to map an email address to a trello account," the threat actor said. "I originally was only going to feed the endpoint emails from 'com' (OGU, RF, Breached, etc.) databases but I just decided to keep going with emails until I was bored."

Initially, Trello denied having been breached, and said that the hacker built the database out of public and scraped information. Now, it confirmed that the incident stemmed from an unsecured API:

"Enabled by the Trello REST API, Trello users have been enabled to invite members or guests to their public boards by email address. However, given the misuse of the API uncovered in this January 2024 investigation, we made a change to it so that unauthenticated users/services cannot request another user's public information by email. Authenticated users can still request information that is publicly available on another user's profile using this API. This change strikes a balance between preventing misuse of the API while keeping the ‘invite to a public board by email’ feature working for our users. We will continue to monitor the use of the API and take any necessary actions."

While collecting public information this way doesn’t sound like a particularly dangerous attack, the information can still be used to create convincing phishing emails. That can lead to more destructive compromise, such as password theft, malware deployment, and more.

Trello is a project management platform on which users (mostly businesses) can organize tasks into columns, or cards. The platform allegedly has more than 40 million users.

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.