Data of 15 million Trello users scraped and offered for sale

Someone is selling scraped data of millions of users of Trello, a popular a web-based list-making application and project management platform, on a dark web hacker forum.

The database dump “contains emails, usernames, full names and other account info,” the seller claims in the advertisement. The dump contains 15,115,516 unique lines (i.e., records). As proof that the data is authentic, the seller published a sample that contains entries matching the term ‘cheko’.

The seller does not claim they have gained access to Trello’s systems, as confimed by Atlassian (parent company of Trello) to The Cyber Express. “Our investigation is ongoing, though we have not found evidence to support that this data was gathered by unauthorized access,” a company spokesperson said last week.

About the Trello “data breach”

The data has been added to the Have I Been Pwned? website and Trello users can check whether their email address, name and username is contained in the dump by entering the email address associated with their Trello account(s).

According to the service, the data was scraped from Trello in January 2024, and “was obtained by enumerating a publicly accessible resource using email addresses from previous breach corpuses.”

Have I Been Pwned? creator Troy Hunt says that “it looks like someone had themselves a collection of breaches in public circulation, grabbed all the email addresses from them and then threw them at Trello to see which ones returned results.”

Whether this incident can be called a data breach is open for debate, but according to Hunt, it can definitely have adverse consequences for some users.

“I was surprised to find my address in the data, but I’m glad I know. I had no idea someone could take my address and enumerate Trello to discover not just that I used the service, but also under what name,” he noted.

“But this is low impact for me because there’s a direct association between my name and my email, indeed I make that information publicly available on my own blog. But that’s just me and every time there’s a scrape like this, there are others who are unintentionally doxed.”

Of course, the scraped data can also be leveraged for targeted phishing and password brute-force attacks.

Users who use the same email and password combination for various online services and have had this combination compromised in previous data breaches are in danger of getting their Trello account hijacked (if they haven’t switched on two-factor authentication).

Trello: Previous data leaks, service exploited by attackers

The web-based app / service is leveraged by attackers as a cloud hosting service for malicious payloads or to serve as a command and control (C2) point for malware.

Trello has previously been the source of data leaks when users have – accidentaly or due to not understanding specific settings – exposed some of their sensitive data by making their Trello boards public.

Help Net Security has asked Atlassian for up-to-date information regarding their investigation into the incident and their plans to prevent similar incidents in the future. We’ve also asked what “other account info” could have been scraped by the threat actor. We will update this article if/when we receive a response.

UPDATE (January 23, 2024, 11:30 a.m. ET):

“We completed an exhaustive investigation and did not find evidence to support that this data was gathered by unauthorized access,” an Atlassian spokesperson told Help Net Security.

“A threat actor, who was in possession of a pre-existing list of email addresses, used those email addresses to lookup public Trello user profiles. The email addresses and the public Trello user profile data were combined to create the final data set. The threat actor only obtained Trello user profile information that was already publicly available and combined this information with email addresses that the threat actor had obtained from another source.”

UPDATE (January 24, 2024, 04:33 a.m. ET):

The person selling the data set told Bleeping Computer that they used a publicly exposed Trello REST API to collect the data: all they needed was to query it with an email address, and it would return public profile information of the person that signed up with that email address.

Trello said that the API allows users to invite members or guests to their public boards by email address, but that they have now made it so that users/services querying it for public profile info will have to be authenticated.

The company also addressed Trello users with a post on their community forum, and said that “the threat actor only obtained Trello user profile information that was already publicly available and combined this information with email addresses that the threat actor had obtained from another source.”

“There is no action you need to take related to your Trello account, however, please review your Trello privacy settings to ensure anything in a public field is something you don’t mind being public,” they added, and further advised users to use a strong, unique password for their account and to enable two-factor authentication on it.