Trello API breach exposes 15M+ emails. Explore how 'emo' exploited vulnerabilities and learn mitigation tactics in our in-depth technical analysis.

Continue reading
In January 2024, a significant data breach involving Trello, an online project management tool owned by Atlassian, was discovered. A threat actor named 'emo' exploited an unsecured REST API, collecting over 15 million email addresses linked to Trello accounts. This data breach highlighted critical vulnerabilities in API security and raised concerns about the misuse of leaked data. This Threatfeed analysis rigorously dissects the breach, underlying technical nuances, and implications.
BleepingComputer first reported the breach, revealing that 'emo' was selling profiles of 15,115,516 Trello members on a popular hacking forum. These profiles contained both public information and non-public email addresses. The data was collected using an unsecured REST API, which allowed queries based on Trello ID, username, or email address.
'emo' created a list of 500 million email addresses and fed them into the API to determine if they were linked to Trello accounts. The API returned account information, which was then combined to create member profiles. In July, 'emo' shared the entire list on the Breached hacking forum for a minimal fee, making the data accessible to a broader audience.
The Trello REST API allowed unauthenticated queries, enabling the collection of public profile information. 'emo' exploited this by querying the API with email addresses to link them to Trello accounts. This process was facilitated by the lack of authentication and rate limiting.
'emo' used a list of 500 million email addresses and fed them into the API to identify linked Trello accounts. By rotating connections using proxy servers, 'emo' bypassed rate limiting measures. This allowed continuous querying of the API, creating profiles for over 15 million users.
To illustrate the exploitation technique, consider the following Python script used to query the Trello API:
import requests
email_list = ["[email protected]", "[email protected]", "[email protected]"]
api_url = "https://api.trello.com/1/members/"
for email in email_list:
response = requests.get(api_url, params={"email": email})
if response.status_code == 200:
print(response.json())This script demonstrates how 'emo' might have used a simple loop to query the API with a list of email addresses.
Atlassian confirmed the misuse of the Trello REST API and secured it in January 2024. The API now requires authentication, preventing unauthenticated access. This change balances API usability with security, allowing authenticated users to request publicly available information while blocking unauthorized access.
Atlassian continues to monitor the API's use and implement necessary security measures. Regular security audits and proactive monitoring are essential to prevent similar breaches. Educating users about the risks of phishing and doxxing is also crucial.
The leaked data includes email addresses and public Trello account information, such as users' full names. This information can be used in targeted phishing attacks to steal sensitive information like passwords. Attackers can craft convincing phishing emails using this data, increasing the likelihood of successful attacks.
The data can facilitate doxxing, allowing threat actors to link email addresses to individuals and their aliases. This poses significant privacy risks, especially for users who post anonymously online. Unmasking anonymous users can lead to harassment, blackmail, and other malicious activities.
In 2021, a similar API exploitation linked phone numbers to Facebook accounts, affecting 533 million users. Threat actors used an unsecured API to link phone numbers with Facebook profiles, creating detailed user profiles with both public and private information.
In 2022, Twitter experienced a breach where phone numbers and email addresses were linked to millions of users. An unsecured API was exploited to combine public Twitter data with private email addresses and phone numbers, resulting in a significant data leak.
More recently, an unsecured Twilio API confirmed the phone numbers of 33 million Authy app users. Threat actors exploited the API to link phone numbers with user profiles, creating a detailed dataset that posed significant privacy risks.
Implementing robust authentication mechanisms is crucial to securing APIs. This includes using API keys, OAuth tokens, and other authentication methods to restrict access to authorized users only.
Rate limiting and IP whitelisting can help prevent abuse of APIs. By limiting the number of requests from a single IP address and allowing only trusted IPs, organizations can reduce the risk of API exploitation.
Conducting regular security audits of APIs is essential to identify and mitigate vulnerabilities. These audits should include penetration testing, code reviews, and other security assessments to ensure the API is secure.
The following example shows how to configure an API gateway to enforce rate limiting and authentication using OAuth tokens:
apiVersion: v1
kind: ConfigMap
metadata:
name: api-gateway-config
data:
config.yaml: |
apiEndpoints:
- path: /api/*
methods: [GET, POST]
rateLimit:
requestsPerMinute: 60
authentication:
type: oauth2
tokenEndpoint: https://auth.example.com/tokenThis configuration enforces a rate limit of 60 requests per minute and requires OAuth tokens for authentication.

A third-party software flaw inside one of Japan's largest telcos exposed login credentials for up to 14.2 million email accounts across six ISPs. The passwords? Some were hashed. Some may not have been