A threat actor on a popular hacking forum is selling millions of personal information records obtained in a massive Trello user data leak stemming from an exposed API.
According to a threat actor using the pseudonym “emo,” the January 16, 2024, Trello data breach exposed the account information of 15 million users.
“Contains emails, usernames, full names and other account info. 15,115,516 unique lines,” the threat actor posted, adding that they are “selling one copy to whoever wants it.”
The company said it was “aware of claims made by a threat actor about Trello user profile data” leak but denied being directly hacked.
Trello user data leak stemmed from web scraping
Trello “completed an exhaustive investigation” and found no evidence that the leaked user data was gathered by unauthorized access.
Instead, the attacker scraped the website using existing email addresses likely obtained from previous breaches. At no point has the threat actor claimed to have breached Trello’s systems.
“All evidence points to a threat actor testing a pre-existing list of email addresses against publicly available Trello user profiles,” a Trello spokesperson said.
Troy Hunt’s Have I Been Pwned? (HIBP) data breach listing website has added the Trello data leak to enable individuals to ascertain whether their personal information was exposed. HIBP also reiterated that the Trello user data leak resulted from “enumerating a publicly accessible resource using email addresses from previous breach corpuses.”
Trello has limited an unauthenticated party’s ability to query users’ public profile information using an email address, effectively slowing down future attacks. Additionally, the Atlassian-owned online project management platform will monitor user activity to prevent abuse.
“All APIs are susceptible to business logic abuse and the only effective way to detect them is through the use of behavioral analysis of API requests, which can be compared against behavioral fingerprints to determine if the calls to the API are malicious,” said James Sherlow, Systems Engineering Director, EMEA at Cequence Security.
The extent of Trello’s responsibility for failing to detect suspicious activity, resulting in millions of user data items being allegedly breached and leaked on the Dark Web, remains debatable. So far, the company maintains it was not at fault.
“The threat actor only obtained Trello user profile information that was already publicly available and combined this information with email addresses that the threat actor had obtained from another source,” Trello said.
Technical controls like foolproof rate limiting should typically prevent a single entity from scraping 15 million records. Subsequently, the failure or absence of such controls suggests a certain degree of responsibility.
“Rate limiting based and IP-based protection is outdated as this attack, which utilized proxy servers to fool the system, goes to show,” added Sherlow. “Moreover, IP protection can impact “good users” as attackers often use high-value residential proxies, whilst the bad users rotate off to another IP and almost end up with a “VIP” service.”
Leaked user data can facilitate phishing and credential stuffing attacks
The leaked user data, while public, provides a valuable resource for crafting compelling targeted phishing attacks when linked to a personal email address. Therefore, victims should remain vigilant for potential scams stemming from the Trello data leak.
While the user data leak did not expose account passwords, threat actors could still utilize the list for brute force and credential-stuffing attacks.
Trello is no stranger to cybersecurity incidents. In January 2020, cybersecurity firm Sophos also found users exposing sensitive content by inadvertently setting Trello boards’ visibility to ‘public.’
Similarly, in April 2022, cybersecurity firm Mandiant observed threat actor APT29 leveraging Trello service to evade detection while targeting diplomatic missions in Europe, the Americas, and Asia.
“The Trello API was functioning as expected so what this breach demonstrates is just how devastating business logic abuse, which sees the functionality of the API explored and abused, can be,” Sherlow concluded.