Security News > 2024 > July > Email addresses of 15 million Trello users leaked on hacking forum
A threat actor has released over 15 million email addresses associated with Trello accounts that were collected using an unsecured API in January.
Emo created a list of 500 million email addresses and fed it into the API to determine if they were linked to a Trello account.
"Trello had an open API endpoint that allows any unauthenticated user to map an email address to a trello account," emo explained in the forum post.
The leaked data includes email addresses and public Trello account information, including the user's full name.
"Enabled by the Trello REST API, Trello users have been enabled to invite members or guests to their public boards by email address. However, given the misuse of the API uncovered in this January 2024 investigation, we made a change to it so that unauthenticated users/services cannot request another user's public information by email. Authenticated users can still request information that is publicly available on another user's profile using this API. This change strikes a balance between preventing misuse of the API while keeping the 'invite to a public board by email' feature working for our users. We will continue to monitor the use of the API and take any necessary actions."
In 2022, Twitter suffered a similar breach when threat actors abused an unsecured API to link phone numbers and email addresses to millions of users.