January 23, 2024 at 04:37PM
An exposed Trello API allowed the creation of millions of data profiles, linking public and private information. A threat actor attempted to sell the data of 15,115,516 Trello members containing emails, usernames, and full names. The leaked email addresses were accessed through a publicly exposed API, elevating the severity of the leak and posing risks of targeted phishing campaigns.
Based on the meeting notes, the key takeaways are as follows:
1. An exposed Trello API allowed the linking of private email addresses with Trello accounts, leading to the creation of data profiles containing public and private information.
2. The Trello data leak, discovered last week, involved a threat actor attempting to sell the data of 15,115,516 Trello members on a popular hacking forum.
3. Although Trello claimed that the data was not collected by unauthorized access to their systems, it was found that a publicly exposed API was used to associate email addresses with public Trello profiles.
4. The threat actor abused Trello’s REST API to query public profile information using email addresses, resulting in the exposure of private email addresses associated with Trello accounts.
5. Trello has since made changes to the API to prevent unauthenticated users/services from requesting another user’s public information by email, aiming to prevent further misuse of the API while still allowing authenticated users to access publicly available profile information.
6. The leak of private email addresses linked to Trello accounts elevates the severity of the leak, as it could potentially be exploited in targeted phishing campaigns to steal more sensitive information.
7. The Trello leak has been added to the Have I Been Pwned data breach notification service for individuals to check if their email addresses are among the 15 million leaked addresses.
8. This incident is reminiscent of a similar Twitter API bug exploitation in 2021, where threat actors were able to link public Twitter data with associated private email addresses and phone numbers, ultimately leading to the data leak of over 200 million Twitter profiles.
These takeaways summarize the key points from the meeting notes regarding the Trello data leak and the exploitation of the Trello API.