A threat actor who in January slipped through what they said was an unsecured API to steal personal information from more than 15 million accounts in Atlassian’s Trello project management tool this week reportedly shared the information on the Breached hacking forum.

The data released included such information as user IDs, usernames, full names, profile URLs, and more than 15 million email addresses, according to researchers with Hackread. BleepingComputer reported that while most of the information in the profiles already was public, the email addresses were associated with the accounts and were not public.

According to a screenshot of the BreachForums site, the hacker – who goes by the moniker “emo” – outlined how they were able to collect so much information, noting that “Trello had an open API endpoint that allows any unauthenticated user to map an email address to a Trello account.”

They added that they initially were “only going to feed the endpoint emails from ‘com’ (OGU, RF, Breached, etc.) databases but I just decided to keep going with email until I was bored. This database is very useful for doxing, find enclosed email address matched to the full names and aliases matched to personal email addresses.”

On the site, the hacker said they had collected 15,111,945 unique email addresses.

Emo told BleepingComputer that the unsecured REST API was used by developers to query for public information about profiles based on users’ Trello ID, username, or email address. The hacker put together a list of 500 million email addresses and fed it into the API to see if they were linked to a Trello account and then used the information to create the profiles of more than 15 million users.

The Need to Protect User Data

Trello is a popular web-based tool that helps teams manage projects, with features for organizing and tracking project tasks and functions for everything from project management and meetings to onboarding and brainstorming. It also includes a resource hub for quickly finding information.

Researchers with cyber-risk platform vendor Centraleyes in a blog post in January wrote about the security incident, saying that it underscored the need for vigilant cybersecurity practices to protect user data. They noted the public nature of most of the information, but added that “the association of private email addresses with Trello profiles elevated the severity of the leak.”

“From a cybersecurity standpoint, this presented a potential avenue for threat actors to exploit this data in targeted phishing campaigns, aiming to compromise sensitive user information, including passwords,” they wrote.

After the data was stolen, Trello modified the API to ensure that authentication was needed, emphasizing “the delicate balance between preventing misuse and ensuring legitimate features remain accessible to users,” Centraleyes wrote.

Atlassian said in a statement that after the January incident, it made it impossible for unauthenticated users or service to request another user’s public information via email, though authenticated users can ask for such information. The change ensures misuse of the API while keeping the invitation-through-email feature still functioning.

Add It to the Growing Collection

The Trello breach is only the latest in a series of recent massive data breaches. Telecom giant AT&T and Advance Auto Parts, a major automotive aftermarket parts company, were among the growing number of organizations – others include Progressive, Pure Storage, Ticketmaster, and Santander Bank – that saw data that kept with cloud storage vendor Snowflake. AT&T said data from 110 million customers was breached, while Advance Auto said sent notices to 2.3 million people about their information being leaked.

Meanwhile, a hacktivist group called NullBulge claims it stole 1.2TB of data from the Slack instance of Walt Disney Co. The data allegedly includes all of the company’s Slack communications from its development team, such as messages, files, unreleased projects, code, and logins, along with other information.

Data Breaches on the Upswing

Such data breaches dovetail with the findings from the most recent report from the Internet Theft Resource Center (ITRC), which found that in the first half of the year, 1,571 data compromises were reported, about 14% higher than in the same period in 2023. The number of data breach victims in the first six months hit almost 1.08 billion, a 490% year over year increase, according to the report released this week.

The credential-stuffing attacks on customer organizations of Snowflake account for more than 900 million victims reported in the second quarter, though the first-half numbers don’t include victims of the supply chain attack on Change Healthcare, which company executives have said will impact “a substantial number” of residents in the United States.

“The estimated victim count is up significantly, primarily due to a small number of very large data events skewing the numbers,” ITRC President and CEO Eva Valesquez said in a statement. “What is clear, though, is the fact the trends we saw emerge in 2023 that led to a record-breaking year in compromises are continuing into 2024. … The takeaway from this report is simple: Every person, business, institution and government agency must view data and identity protection with a greater sense of urgency.”