Over 15 million user profiles from the popular project management app Trello were leaked online following a massive data breach that resulted from one exploit in its system.
Trello's parent company Atlassian confirmed to Bleeping Computer on Tuesday that the over 15 million accounts being sold were indeed from the company's app six months after the cyberattack was first reported.
User data, which includes email addresses, usernames, and people's identifications, were first spotted back in January.
The threat actor told Bleeping Computer that the breach became possible due to "an open API endpoint that allows any unauthenticated user to map an email address to a Trello account."
The hacker claimed to have created a list of over 500 million email accounts and checked if any of those were linked to a Trello profile, creating what they described as a database as "very useful for doxing."
Atlassian claimed that it had already changed Trello's APIs when the breach was first detected, although it did not indicate if it had notified the impacted accounts following the cyberattack.
How to Secure Exposed Trello Account?
Since most of the profile information exposed is also accessible to the public, affected users might not have to worry much about the data breach.
Enabling two- or multi-factor authentication systems can be enough to prevent hackers from accessing personal and financial accounts.
For better protection, however, making a separate email address dedicated to financial accounts will provide better security in the long run.
Related Article : Neiman Marcus Data Breach Exposed 31 Million Customer Emails to Hackers
Vulnerable APIs Common Target for Rising Threat Actors
This is not the first time hackers used an exploit in a platform's API system. In fact, it is one of the most common methods used by many emerging threat actors.
A similar incident even happened to Facebook in 2021 after hackers leaked over 533 million user details through a now-patched "Add Friend" feature to obtain people's identification, mobile number, profile bio, and username.
The breach was reportedly successful due to a vulnerability in the Facebook API used in 2019, from which most of the data was stolen.
The same thing happened on Twitter in 2022, shortly before Elon Musk bought it and renamed it X, as hackers exposed over 5.4 million user accounts through an unsecured API using a similar method in the Trello data breach.
