Unscrupulous Cybercriminal Lists Confiscated Trello Information for Sale
In a recent development, over fifteen million email addresses associated with Trello accounts have been stolen. The data theft, which occurred in January, used an unsecured REST API. This incident underscores the importance of maintaining secure APIs, particularly in distributed architectures like cloud computing and microservices.
Atlassian, the company that owns the Trello platform, has taken steps to prevent further misuse and ensure the safety of its users. The Trello REST API, which enabled users to invite members or guests to their public boards by email address, has been modified to require authentication. Due to the misuse discovered in the January 2024 investigation, unauthenticated users/services can no longer request another user’s public information by email.
The stolen data includes users' full names, email addresses, and public Trello account information. This sensitive information can be used maliciously, such as in phishing attacks to obtain sensitive information like passwords. Ray Kelly from Synopsys Software Integrity Group emphasises the importance of comprehensive threat surface mapping of applications. In this case, Alissa Knight from the same group stated that the case involving stolen Trello email addresses and their sale on the Breached hacking platform highlights the need for such mapping.
The Breached hacking forum is a platform where stolen data is sold. In this instance, the stolen Trello data is currently being offered for sale on the forum. Improper authentication on a single API call can become a significant vulnerability, as demonstrated by this incident.
Atlassian will continue to monitor the use of the Trello REST API and take any necessary actions to ensure the security of its users' data. Authenticated users can still request information that is publicly available on another user’s profile using the Trello REST API. However, the focus now is on strengthening the API's security measures to prevent such incidents in the future.
