Hacker Scrapes 15 Million Trello Profiles Through API

Approximately 15 million names, usernames, and email addresses linked to public Trello boards have surfaced on the Dark Web for sale, posing a risk of account takeovers and spear-phishing attacks.

Atlassian's Response and API Modification

Atlassian, the parent company of Trello, has responded by making changes to a critical API to prevent future scraping attacks. However, researchers argue that Atlassian downplays its responsibility for the incident.

Exploitation of Trello's API Vulnerability

The hacker, identified as "emo," exploited a vulnerability in Trello's API, conducting a business logic attack. By querying the API with an email address, emo obtained public profiles associated with the email, resulting in the collection of 15 million Trello profiles.

Atlassian's Stance and API Tightening

While Atlassian asserts that no unauthorized access occurred, the company acknowledges the need for API configuration improvement. Changes were made to restrict unauthenticated users from accessing another user's public information via email, while authenticated users still have access to publicly available information.

Debates on Trello's Accountability

The incident has sparked debates about Trello's accountability for data scraping. While Atlassian contends that the scraped data was already public, critics argue that Trello should take more responsibility for safeguarding user information.

Hacker's Access to a Vast Pool of Email Addresses

The hacker behind the attack, emo, had access to a vast pool of known email addresses. Trello emails were linked to various sources, including Wattpad, Canva, Dropbox, Twitter, Gravatar, and more.

Implications for Businesses and Enhanced Security Measures

Businesses impacted by the data scraping incident should prioritize additional security measures, such as multifactor authentication (MFA), to counter potential risks. Cybersecurity experts warn of increased credential stuffing attacks, emphasizing the need for unique credentials and robust security controls.

Phishing Threats and Exploitation of Context

The aftermath of the data scraping incident also poses a phishing threat. With context from the scraped data, cybercriminals can craft personalized phishing attacks, exploiting the knowledge of users' involvement in specific systems to deceive them into clicking malicious links.

Conclusion: Ensuring Robust API Security and User Accountability

In conclusion, the Trello data scraping incident underscores the importance of robust security measures. If using identical credentials across sites, the risk of compromise increases, emphasizing the need for heightened vigilance and unique login information.

Need help with your Cyber Security?