Collaboration tool Trello has been hacked. The software, which allows you to create a kind of Kanban board, was hacked in January, but now all of the email addresses have been put online this week.
Insecure API
The reason behind the hack is an insecure API. It’s bad because Trello is not just a small tool. It has several million users and is part of Atlassian, which is not the smallest organization either. People use it to create lists: from a shopping list to a bucket list, while businesses use it to do project management or to show who is doing what.
It’s a useful tool, but it also seems to be an insecure one, as it turns out. 15 million email addresses have been exposed. They were initially put up for sale on the dark web, but now they can all be found online. To be exact: 15,115,516 pieces. All email addresses that Atlassian didn’t say anything about when they were stolen. It’s worth noting that unlike some other profile data, the email addresses are not public. Surely the people whose email addresses are now out on the street are entitled to an explanation.
Organizing your Trello boards doesn’t have to be boring. 💁
🎨 Assign colors to your lists to keep your board organized and your workflow clear.
↔️ Collapse and expand lists to focus on your current tasks.
Discover more features for Standard, Premium and Enterprise users: https://t.co/bCZHIPwhXk pic.twitter.com/BAowy50hJP
– Trello by Atlassian (@trello) June 24, 2024
Trello data on the street
The pirates are said to have contacted BleepingComputer He told them it was because of the REST API. An API is a piece of software that developers can use to open something in their applications. This particular API allowed developers to call up public information about Trello profiles. The hacker just had to create a list of email addresses, read it through the API, and he could see which email addresses contained a profile. It’s not a full-fledged hack in the sense of breaking into Atlassian’s secure systems, but it’s certainly a way to get information that shouldn’t be public. You can get the email addresses for $2.32 now on the hacker forum Broched.
You might be thinking: Oh, email address, what would it be? But email addresses are regularly used for phishing attacks, and it’s unlikely that you’ll find a hacker who’s created a really good phishing email that will fall for you. You can just enter more information and then you’re away from home. Or your email address is being used in some way to trick people around you. There could be many possibilities. Consider, for example, people who post anonymously on social media, but you can now expose them based on their email address.
As for Trello itself: it uses two-factor authentication, so it’s advisable to enable that as soon as possible, in addition to of course using a more complex email address than Blink182!.
