Vorlon Blog

You Say Goodbye, and I Say Trello

Written by Lauren Lee | Feb 7, 2024 5:00:00 PM

Introduction 

Let's dive into some recent tech news that's been making waves like the Beatles when they released their first album. You might have heard about Trello, the popular project management tool by Atlassian, right? Well, it turns out they've had a bit of a data leak issue.

 

The Leak: Public Data Meets Private Emails

Last week, the cyberworld buzzed with the news of a Trello data leak. A person, going by 'emo', put up a sale for data profiles of over 15 million Trello members on a hacking forum. These profiles weren't just any profiles; they contained emails, usernames, full names, and other account info. Now, most of this info was public, but the email addresses? Not so much.

 

The Investigation: More Than Meets the Eye

When BleepingComputer reached out to Trello, they said the data was scraped from public profiles – no hacking involved. But, as they dug deeper, a different picture emerged. Emo, the person behind this, revealed that they used a publicly exposed API to link email addresses with Trello accounts.

 

API Abuse: The Crux of the Leak

Trello's REST API, which lets developers integrate Trello into their apps, was the key here. Normally, this API would let you look up public profile info using a Trello ID or username. But Emo discovered a loophole – you could also use an email address to fetch public profile info.

 

The Method: A Game of Numbers

Emo didn't stop at a few email addresses. They compiled a massive list of 500 million emails and fed them into the API to see which ones matched Trello accounts. Even with Trello's rate-limited API, Emo circumvented this by using proxy servers to keep the queries going.

 

Securing the API: Trello's Response

Trello has since tightened up their API, requiring authentication for such queries. But it's still accessible to anyone with a Trello account. They've made changes to prevent misuse while maintaining functionality for legitimate users.

 

The Implications: Beyond Public Data

While public data being scraped isn't usually alarming, linking private emails to public profiles raises the stakes. It opens doors for targeted phishing attacks, where scammers could pretend to be Trello to snag more sensitive info like passwords.

This breach also highlights the importance of authentication measures in API queries. When APIs are accessible without stringent authentication, it invites cybercriminals to walk in. It's not just about unauthorized data access; it's about the potential havoc unauthenticated API access can wreak. From data integrity issues to exposing users to fraud, the consequences are far-reaching. 

 

Stay Safe: Check Your Email

If you're worried about your email being part of this leak, you can check it on the Have I Been Pwned data breach notification service. It's a good practice to stay vigilant about where your email might pop up.

 

A Familiar Scenario: Twitter's 2021 API Leak

This isn't the first time something like this has happened. Remember Twitter's 2021 API bug? It allowed threat actors to link emails and phone numbers to Twitter IDs. They scraped public Twitter data and ended up leaking data of over 200 million profiles. Twitter fixed the flaw, but the damage was done.

 

Conclusion

The Trello incident is a reminder of how exposed APIs can lead to unintended data leaks. It's a wake-up call for both users and companies to be extra cautious about how data is shared and accessed.