Data leak
Trello user data scraped via unauthenticated REST API
Primary Source βIncident Details
Threat actor ’emo’ fed 500 million email addresses from prior breach corpora into Trello’s publicly accessible REST API which returned public user profile data for each match, compiling 15 million user records (email, name, username, project info). Atlassian stated no unauthorised access occurred as the API was public, but patched it in January 2024 to require authentication. Data listed for sale on hacking forums. Have I Been Pwned added the dataset.
Technical Details
- Initial Attack Vector
- CWE-359: Exposure of Private Personal Information to an Unauthorized Actor (unauthenticated REST API endpoint allowed email-to-profile lookups)
- Vendor / Product
- Trello (Atlassian)
Timeline
- 2024-01-16 Breach occurred
- 2024-01-23 Publicly disclosed
- unknown Customers notified