Security News > 2024 > January > Trello API abused to link email addresses to 15 million accounts
An exposed Trello API allows linking private email addresses with Trello accounts, enabling the creation of millions of data profiles containing both public and private information.
In a conversation with emo, BleepingComputer learned that a publicly exposed API was used to associate email addresses with public Trello profiles.
The threat actor then built a list of 500 million email addresses and fed them into the API to determine if they were associated with a Trello account.
While scraping public data is not usually a concern, as the data was already public, email addresses associated with Trello accounts were only meant to be known by the account holder.
For those concerned, the Trello leak has been added to the Have I Been Pwned data breach notification service, allowing anyone to check if they are among the 15 million leaked email addresses.
A similar leak occurred in 2021 when threat actors exploited a Twitter API bug that allowed users to input email addresses and phone numbers and confirm whether they were associated with a Twitter ID. The threat actors used another API to scrape the public Twitter data for the ID, combining the public data with associated private email addresses and phone numbers of Twitter users.