In other news, a popular project management tool from Atlassian, Trello, just experienced a serious data breach. According to reports from Hackread.com, the hacker whose alias is “Emo” recently leaked this data on a cybercrime platform called “Breach Forums,” where it was confirmed that a staggering 21.1GB of customer information was lost in this breach. [1]
Researchers from Hackread.com confirmed that, according to the hacker, the data surfaced online on Tuesday, July 16, 2024, despite the breach occurring in January 2024. Some details that were captured in the breach include the following: [1]
- User IDs
- Usernames
- Full names
- Profile URLs
- Status information
- Various settings and limits
- Associated board memberships
- Email addresses (15 million – 15,182,073)
Source: hackread.com
What happened?
According to “Emo,” his breach was allegedly successful due to an unsecured API in Trello’s system. The said vulnerability (unsecured endpoint API) was accessible without user logins, thus accepting and allowing unauthorized access. [1] The endpoint API allowed “Emo” to link email addresses to Trello accounts, revealing user identities.
Emo in the beginning only relied on emails from breached databases. He later went on full-scale to exploit the endpoint API with more and more emails, which eventually resulted in the magnitude of the breach we have now. Some of the uses of this leaked data could include: [1]
- Spam and phishing
- Credential stuffing
- Social engineering attacks
- Sold on the dark web
- Targeted advertisements
- Scams and extortions
- Identity theft
- Doxing
Trello had an open API endpoint that allows any unauthenticated user to map an email address to a Trello account. I originally was only going to feed the endpoint emails from ‘com’ (OGU, RF, Breached, etc.) databases but I just decided to keep going with emails until I was bored. This database is very useful for doxing, find enclosed email address matched to full names and aliases matched to personal email addresses, The hacker said. [1]
Source: hackread.com
User lessons for affected businesses and individuals.
This leak highlights the imperative need for robust and reliable API security measures. Strong authentication, educating your team, authentication controls, limiting the amount of data the API exposes, constant monitoring, using API gateways to act as a middle layer between clients and backend services [3], and also monitoring for suspicious and malicious activities. [2] It is also important to stay updated with the best security practices by patching and updating regularly to ensure your systems do not get vulnerable due to out-of-date security patches.
As a Trello user, firstly, check if your data was compromised in the breach; you can do so by using https://nordpass.com/have-i-been-hacked/. [2] If the scan indicates you are safe, that’s great. However, if it indicates otherwise, you will need to take some immediate action.
Trello users should consider changing their emails and passwords to any account tied to the email affected by the leak. Also, set up multi-factor authentication. [2] Additionally, Trello users should be vigilant for phishing, as other cybercriminals may send you emails where they impersonate legitimate organizations offering juicy deals and unwanted help.
I’d love to hear your thoughts! What advice would you give to victims in this situation? Do you agree with the recovery steps I mentioned, or do you see things differently? Please feel free to share any insights or experiences you’ve had with similar data breaches. Your perspective would add to the conversation, and I’m looking forward to hearing from you!
References
- https://hackread.com/trello-data-breach-hacker-dumps-users-personal-info/
- https://nordpass.com/blog/trello-data-breach/
- https://www.practical-devsecops.com/api-gateway-security-best-practices/#:~:text=An%20API%20Gateway%20serves%20as,the%20microservices%20in%20the%20backend.
Brilliant work Mohammed!! The research you have done presents a comprehensive analysis of the breach, including the extent of compromised data, the chronology of events, and the hacker’s approach. This level of detail is essential to comprehending the incident’s complete significance. The different ways the compromised data could be utilised, ranging from phishing and spam to more serious risks like identity theft and doxing, are also well documented which is important for impacted users to be able to comprehend the possible hazards they face.
This data breach concerns me a lot, as sensitive data like user IDs, usernames, various settings and limits, associated board memberships and, most importantly, more than 15 million email addresses. This data breach shows how dangerous it can be. Again, the hackers are using a lot of hacking methods at a time, which increases the chances. From my opinion, I think companies should be more concerned about using APIs. It is true that APIs are a very important part of a system, but we have to increase their security measures. Lastly, the end user should also check their account’s security status regularly.
Great article, Mohammed! According to BleepingComputer, it seems that the abused API here was designed to allow users to invite each other to Trello’s “boards” using a profile’s email, and the only information returned was already publicly available save the email addresses the attacker’s collected to query the API in the first place. Trello’s fix was simply to require authentication to query the API, which seems like a band-aid solution; websites like Google Drive and GitHub support adding users to projects with an email address, but don’t expose an API that users can abuse to query user information. Regardless, it’s fortunate that the attackers were unable to leak passwords, salted, hashed, or otherwise, but your advise on changing passwords and enabling two-step authentication is still an essential next step for affected users, as prior leaks risk account compromise if the user reused their passwords across accounts, and will likely face a torrent of phishing emails now that their personal information has been leaked, which can be mitigated by two-factor authentication.
Great security breach experience, Mohammed. The question you raised is also inspiring. As a victim, would taking the measures be enough to stop the data leak damage? To answer this question, will need to know the potential intensions of the attacker. In many case, the cyber-attack are staged escalating series of damages. For instance, user data like email address, names, and demographic information can be used in a targeted marketing and promotional campaigns. However, it could be also used to cause financial losses and financial fraudulent activities. Yes, changing the username and password can prevent malicious access , but the big risk still looming around the identity leak. As a victim, I would seek identity theft insurance from TRELLO DATA seeking recovery if any financial loss is concluded. Whatever, reactive measures can be done, these measures would not be in a peer-quality to proactive precautions. For instance, using a dedicated email address for TRELLO DATA would be an essential proactive precaution rather than using one generic email address. Many mail service providers, like Google Mail provide, a feature to add symbol like”+” and “-” in the email address where the user could tag the email address for a specific use. For instance, id1234+TRELLO@gmai.com. Also, the user should avoid clear identity disclosure and self-intuitive, like using the first or last name in the username or the email addresses. The advice here is cyber attacks are getting more sophisticated and user education has become a must and exercising these proactive precautions are invadable.
Those are really great suggestions, Mr. Tamer. I just checked out the “+” and “-” email tagging features of Google Mail, and I have to say, they’re pretty handy and definitely worth using in the situations you pointed out. I completely agree with your second point as well. It’s so important for employers, business owners, and even individuals to put more effort into making sure people don’t use personal details like names or phone numbers as their usernames or passwords. Regular training and workshops can make a big difference here. The more anonymous we can keep our information, the harder it is for someone to trace an email back to a specific person.
Great insights! An insecure API in Trello has led to the recent breach of 21.1GB of user data. Update your passwords and multi-factor authentication enablement, and watch out for phishing attacks; users have been reminded. Vigilance is at one’s discretion to avoid further risks.
Hi Mohammed, I found your discussion post to be incredibly fascinating and thoroughly enjoyed every bit of it. By examining Trello data breaches, you could showcase various accounts of breaches, including unsecured API endpoints that, when enabled, allowed access to unauthorized sensitive user information. The topic you wrote on showcases a strong understanding of the necessity of strong API securities and the effects they may have in real-world situations. One of the clear identifications for businesses and users is the phishing and credential stuffing attacks. Both these showcase how data can be exploited through various malicious methods and highlight to Trello users the necessity for caution and awareness of these threats. Following this, you mentioned some practical advice that would help maintain proactive measures to safeguard data following a breach. By using methods such as checking compromised accounts utilizing multi-factor authentication, users are able to protect their data better and mitigate large-scale incidents. Although preventive measures can enhance data security and stop similar breaches from occurring in the future, I was able to gather from your post your push for including robust API security practices to maintain these protective measures.
Thank you Mohammed for this interesting post!
Breaches happening almost everywhere is no longer a question of “if”, its “when” you get breached. This breach is an example of how threat actors can exploit vulnerabilities and how much information they can get out of just one exploit.
Educating employees on cybersecurity should be a major priority for organizations as its the duty of each and everyone of us to protect and keep the cyberspace safe.