Contact US
Blog

Trello Data Breach: Collaboration Tool Exposed to Attacks Due to API Vulnerability

A significant data breach recently impacted Trello, a task management tool by Atlassian, known for its team collaboration software. The personal information of around 15 million Trello users was exposed on the dark web after hackers exploited an API vulnerability. This article explores how the API vulnerability was exploited, why hackers target team collaboration tools, […]

08/02/2024

A significant data breach recently impacted Trello, a task management tool by Atlassian, known for its team collaboration software. The personal information of around 15 million Trello users was exposed on the dark web after hackers exploited an API vulnerability. This article explores how the API vulnerability was exploited, why hackers target team collaboration tools, and essential security measures to prevent such breaches.

Process of Trello Data Breach Exploiting API Vulnerabilities

Trello, a project management and collaboration tool
Trello, a project management and collaboration tool

Atlassian is a software company that provides team collaboration tools, including various project management and software development tools. Trello is a tool for project management and collaboration, offering features to organize tasks using boards, cards, and lists. Over 3,000 companies worldwide use Trello to manage and collaborate on their work efficiently.

Discovering and Exploiting the API Vulnerability Leading to the Trello Data Breach
How the API vulnerability was exploited in the Trello data breach

The Trello data breach came to light when a hacker named “emo” posted on a dark web forum, claiming to sell a database containing Trello users’ account information.

The Trello data breach unfolded as follows:

  1. Exploiting an Open API Endpoint
    Trello offered a REST API that allowed users to retrieve publicly available profile information. This API was designed to search profile information based on user ID, username, and email address. Initially, the API could be accessed without authentication, meaning anyone could call the API to retrieve public information, allowing the hacker to collect data indefinitely.
  2. Utilizing a List of Email Addresses
    The hacker “emo” prepared a large list of email addresses, comprising 500 million addresses collected from various sources. This list was input into the API to check if each email address was associated with a Trello account. The API call results included account information for each email address.
  3. Combining Data
    The data returned from the API included user IDs, profile URLs, status information, settings, restrictions, and related board memberships. The hacker collected this information and created user profiles linked to each email address. By combining the 500 million email addresses with the data retrieved from the API, over 15 million detailed user profiles were compiled.
  4. Data Breaches and Sales
    The hacker posted the compiled user profile information on the dark web forum “Breached,” making it available for other hackers or criminals. “emo” sold the entire list for 8 site credits, approximately $2.32. The leaked information was provided in bulk and could be used for identity theft, phishing attacks, doxing, and other malicious activities.

In response, Atlassian has blocked unauthorized access to public information requests based on email addresses. They also stated they would continue to monitor API usage and take necessary actions.

Exploring Atlassian’s Exposed IP Addresses Using CTI Search Engine

Trello, along with other team collaboration tools, has always been a prime target for hackers. Atlassian’s prominent global team collaboration tools, including Jira, Confluence, and Trello, are exposed to vulnerabilities and attacks.

By using the CTI search engine Criminal IP Asset Search, it is possible to identify key IP addresses related to Atlassian and detect servers exposed in a vulnerable state.

Search Query: tech_stack: Atlassian

Key IP addresses of Atlassian identified using Criminal IP
Key IP addresses of Atlassian identified using Criminal IP

Notably, IP addresses exposed to vulnerabilities were found.

Vulnerabilities of Atlassian IP addresses identified by Criminal IP
Vulnerabilities of Atlassian IP addresses identified by Criminal IP

At the bottom of the IP address report, the ports and services operated on the IP address are visible. One particular IP address operates Confluence on port 80 and has the CVE-2023-22515 vulnerability. Since collaboration tools often share internal documents and materials, merely being exposed on the internet poses a threat, especially if they have known vulnerabilities. Therefore, companies and organizations must always ensure continuous security management and apply the latest patches when using collaboration tools.

Importance of API Security

This incident highlights the critical importance of API security. Companies need to continuously monitor API security vulnerabilities, block unauthorized access, and strengthen measures to protect user data. Trello users should exercise increased vigilance in protecting their personal information following this incident. Utilizing CTI search engines like Criminal IP can help detect and respond to threats related to exposed API endpoints.

For further reading, refer to the article API Key, a Key to Credential Leakage & Manipulation.

This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Sign up for a free Criminal IP account today to explore the search results mentioned in the report and delve into comprehensive threat intelligence.

Source: Criminal IP (https://www.criminalip.io/)

Related Article(s):

API Key, a Key to Credential Leakage & Manipulation