Atlassian Tightens API After Hacker Scrapes 15M Trello Profiles

About 15 million names, usernames, and emails associated with public Trello boards have been collected and put up for sale on the Dark Web — opening the door to account takeovers and spear-phishing attacks down the line. Trello parent Atlassian says it's made changes to a critical API to help prevent scraping attacks from happening again — but is downplaying its responsibility for the incident, researchers say.

Trello, a project-management and collaboration platform, offers the ability to make its "boards" (i.e., workspaces) publicly findable for easier collaboration across disparate companies and stakeholders. The administrator of a board can invite other people via email to participate on their public boards — and that invite feature is enabled by a REST API.

An enterprising cyberattacker who goes by the handle "emo" was able to manipulate this API as a form of business logic attack; if someone queried the API using an email address, it would return the public profiles of any boards associated with that email. In this way, emo was able to scrape publicly available data on 15 million Trello profiles (that were available in the format trello.com/[username], which is how emo was able to associate usernames and emails together).

Fixing Trello's Over-Sharing API

"Attacks like this are pretty easily constructed and sent, once the attack is known to work," says Jason Kent, hacker in residence at Cequence Security. "The threat actor will test various systems for information, and when a pattern emerges they can use generative AI or existing scripts to create an attack in a few minutes. They only need to find that an endpoint is giving data as a result of a request, then figure out if the request can be changed to get new data. We call this the Unholy Trinity because it is usually on an API they weren't aware they had, it isn't requiring authentication, and [it] often contains sensitive data."

An Atlassian spokesperson notes that there was no unauthorized access to internal Trello systems, but acknowledges that the API needed a tighter configuration.

"Given the misuse of the API uncovered in this investigation, we've made a change to it so that unauthenticated users/services cannot request another user's public information by email," she explains to Dark Reading. "Authenticated users can still request information that is publicly available on another user's profile using this API. This change strikes a balance between preventing misuse of the API while keeping the 'invite to a public board by email' feature working for our users."

She adds, "We will continue to monitor the use of the API and take any necessary actions."

A quick check by Dark Reading showed that indeed, users who are not signed in are now blocked from viewing trello.com/[username] profiles.

Should Trello Be Held Accountable for Data Scraping?

The Atlassian spokesperson framed the incident as impacting only information that was already public -- intimating that users are responsible themselves for what ends up in scrapers' hands.

"After an exhaustive investigation ... all evidence points to a threat actor testing a pre-existing list of email addresses against publicly available Trello user profiles," the Atlassian spokesperson says. "The threat actor only obtained Trello user profile information that was already publicly available and combined this information with email addresses that the threat actor had obtained from another source."

Kent believes that this is a bit of disingenuous spin. "Trello is saying 'this is all public data' as a defense, but I would be willing to bet their terms and conditions do not permit me coming along and dumping out their entire database for my own use. I would also bet that the users of the systems don't expect this is normal behavior either."

While scraping of public data does not technically constitute a data breach, Troy Hunt, founder and CEO of Have I Been Pwned (HIBP) and a Microsoft regional director, has pointed out in the past that because people don't generally have an expectation that "their data has been inappropriately accessed, redistributed and in all likelihood, abused," companies have been increasingly held to account over allowing it to happen. It's for this reason, for example, that Facebook got into hot water over the Cambridge Analytica scandal, and subsequently added data scraping to the Meta bug-bounty program as a threat vector.

He tells Dark Reading, "Trello seems to recognize that scraping of this nature shouldn't occur based on the technical controls [i.e. tightening the API] they've implemented, but hasn't really acknowledged that in their communications."

In absence of software providers focusing on preventing data scraping, Kent suggests that businesses should always have their critical business applications penetration-tested to uncover potential API and business logic issues like this.

Prior Data Breaches, Scraping Attacks, Follow-On Cyber Risk

To gain such scale with data scraping, the hacker was clearly working from a sizeable pool of known email addresses and an automated approach. But where did they come from?

According to Hunt, when he added the Trello data to the HIBP database of compromised credentials, every single one of the email addresses in emo's collection had already been added at some point in the past. Hunt's spot-check of 500 of the Trello emails revealed some of the sources:

As for the risk to businesses, having such publicly available emails already collected into a nice, neat, voluminous database makes it a lot less labor-intensive for cybercriminals to mount brute-force attacks and credential stuffing for account takeovers.

"I'd be ... worried about credential stuffing from other username and password pair dumps," Hunt notes, given the massive scale of prior data dumps that include associated passwords, like the infamous Collection 1 password database from 2019.

And indeed, given that Trello boards contain plenty of proprietary data on in-progress and completed projects alike, affected businesses will want to ensure that they're protected with additional security controls such as multifactor authentication (MFA), not simply passwords alone.

"Cybercriminals appear to be having increased success in performing credential stuffing attacks in the past few months," Joseph Carson, chief security scientist and advisory CISO at Delinea, says, pointing to the just-disclosed Jason's Deli attack as an example. "When storing sensitive data, users need to make sure they use unique credentials on every account by using a password vault, a password manager, or a privileged access management solution. They should also use MFA so that even when accounts are compromised, the password is not the only security control protecting their data."

There's also a very real opportunity around phishing, according to Kent.

"Most of the follow-on attacks from this type of breach are contextual in nature," he notes. "Think of a phishing attack but I already know you are part of this system. I might send you a breach notification to reset your password, and have you click a link. That link might install malware or do something else. The context of the data makes it super important."