Millions of Trello users faced a data scare this week, with a threat actor claiming to possess 15 million user records on a dark web forum. While the incident initially raised concerns about a security breach, investigations revealed a different culprit: web scraping.

Trello Data Leak: What You Need to Know

• On January 16th, 2024, a threat actor using the alias “emo” posted on a hacking forum, offering to sell 15 million Trello user records containing emails, usernames, full names, and other publicly available profile information.
• Trello promptly investigated and confirmed no unauthorized access to their systems. Instead, they discovered the data was gathered through web scraping, a technique that automatically extracts information from websites.
• The threat actor likely obtained email addresses from previous data breaches, not from Trello itself.

Trello’s Response:

• Trello has implemented stricter limits on how often unauthenticated users can query public profiles using email addresses.
• They are also actively monitoring user activity for suspicious behavior to prevent future misuse.

What it Means for Trello Users:

• While the exposed data was already publicly available, it could be used for targeted phishing attacks. Users should be wary of suspicious emails, even if they mention Trello or seem personalized.
• Although passwords weren’t compromised, attackers might utilize the list for brute-force attempts or credential stuffing across other platforms. Enabling two-factor authentication is crucial for added security.

Experts Weigh In:

• James Sherlow, Systems Engineering Director at Cequence Security, emphasizes the importance of behavioral analysis to detect API misuse, highlighting vulnerabilities beyond traditional rate limiting and IP-based protection.
• The incident underscores the growing concern of “business logic abuse,” where attackers exploit intended website functionality for malicious purposes.

While Trello maintains they weren’t directly hacked, this incident serves as a stark reminder of the evolving cybersecurity landscape. Users must be aware of potential threats and take proactive steps to protect their data. Organizations, meanwhile, need to continuously evaluate and strengthen their security posture to combat sophisticated attacks.

Earlier Trello Data Breaches 

Trello has faced other data-related incidents in the past, though not necessarily full-fledged breaches in the traditional sense. Here are two noteworthy examples:

1. Inadvertent Public Board Exposure (January 2020): Cybersecurity firm Sophos identified instances where users unintentionally exposed sensitive content by making their Trello boards publicly visible. This wasn’t a breach of Trello’s systems, but rather a user configuration issue highlighting the importance of proper privacy settings.
2. APT29 Leverage for Espionage (April 2022): Cybersecurity firm Mandiant observed the threat actor group APT29 using Trello boards to evade detection while targeting diplomatic missions. This didn’t involve compromising Trello’s security, but rather exploiting the platform’s functionality for malicious purposes, demonstrating the potential for misuse.

While these weren’t direct data breaches like the recent scraping incident, they showcase how Trello has been involved in data-related concerns in the past. Remember, even when systems aren’t breached, user data can be exposed through misconfigurations or misuse, underlining the importance of ongoing vigilance and best practices for both users and platforms.

Lessons Learned:

• Even publicly available data can be misused when combined with information from other sources.
• Organizations need robust defenses against web scraping and other forms of data exfiltration.
• Users should remain vigilant, practice good online hygiene, and use strong security measures like two-factor authentication.