It may depend on definitions. Where I work, we classify users' emails as "personal" information, and we would consider it a breach if all the emails were leaked.
> Trello users are about to get bombarded by phishing attempts and spam.
All of the emails present in this "leak" were taken from other dumps. That's how it's made, they took a list of known emails and tried to link them to a trello account.[1]
In many cases: yes. That you need to tell others your email address to be able to use it doesn't mean it can't be used to identify you, especially if your email address is hasty.pudding@gmail.com everybody will know exactly what your proper name is.
What do you mean? Big tech advertising unfortunately works too well for me. A friend heavily uses the look alike feature on fb to target similar people that purchased his product. Fever ticketing also uses this too.
If you’re having ad quality issues, it could be that they don’t have good advertisers matching your profile.
They're a part of the composite "keys" tied to managing your personal identity. If you use one email for everything, having that email exposed means that a portion of that key has been compromised, and you may be targeted by attackers that previously did not know of your existence.
If you use a unique email for everything, attackers need to determine email+password+whatever, instead of just password+whatever, where "whatever" is security questions or compromising 2FA.
> Trello
In January 2024, data was scraped from Trello and posted for sale on a popular hacking forum. Containing over 15M email addresses, names and usernames, the data was obtained by enumerating a publicly accessible resource using email addresses from previous breach corpuses. Trello advised that no unauthorised access had occurred
Which "publicly accessible resource using email addresses from previous breach corpuses" are they referring to? Am I being paranoid that HIBP itself is a potential vector for this enumeration type data exfiltration?
> using email addresses from previous breach corpuses
> enumerating a publicly accessible resource
> Trello advised that no unauthorised access had occurred
That sounds like a credential stuffing attack to me!
Most likely the attackers used the password reset form, and that Trello acknowledge the existence of emails. This used to be considered bad practice, but it's more nuanced than that, provides basically no useful information, and is now considered to be a relatively safe practice.
Alternatively it's possible they used some sort of sharing functionality to try to share Trello content with other addresses, and again the availability of that for usage would be by-design.
> This used to be considered bad practice, but it's more nuanced than that, provides basically no useful information, and is now considered to be a relatively safe practice.
Against this:
> 15M email addresses
While you're saying that Trello leaked nothing, it strikes me as odd that an attacker could successfully interrogate a public resource enough times to confirm the existence of 15 million addresses without triggering some kinds of checks/balances to prevent such enumeration.
I understand this is meaningfully different than other kinds of leaks (i.e. an actual compromise), but it still indicates an issue on the Trello side.
FWIW, I'm trusting the public statement from Trello here. They could be wrong, but given that the data doesn't appear to contain anything new (like Trello passwords), it seems plausible.
I'd agree that 15 million requests should trigger something, but it depends on how long this happened over. Fundamentally, rate limiting access to a public resource is not a security mechanism against disclosure from that source, rate limiting is only a viable countermeasure against denial of service style attacks. So while there may be some improvements Trello could make here, I don't think they'd materially change this.
Yes they did. Trello leaked usernames, full
names, “other account details” in exchange for an email address input. Credential stuffing requires knowledge of the password.
Credential stuffing can use the password, but in general it's just using some credentials you already have (maybe just an email) against a different service to see what you get out.
Can you just admit you’re wrong here? If I go to a service with 1 piece of information (an email) and I walk away with more PII than I provided, that’s a leak.
So let me try to "share" something with on a banking app, see if that returns your balance. And then I'll tell you it's designed that way after I publish it along with 15M other people's balance. Not a leak guys !
It's not Trello, it's Atlassian who did not learn and doesn't seem to care that much.
Even in 2017 it seemed to me Atlassian only bought it so anyone else couldn't have it and they would like it to die in the future but for the time being they could use it as future customer acquisition entry for their main products ( Jira and Confluence )
Their disinterest in Trello in recent years might just be what has saved it for so long. Once their crack teams of product development people arrives it will be game-over.
Probably legal reasons. Usually doesn’t make business sense to declare and publicly announce a breach until you do some internal investigating to understand the scope/impact (not defending them, it’s just reality.. also their cyber insurance company would get pissed if they did anything without their approval during a possible breach, things take time)
Probably also some internal debate whether this should be considered a breach or not and whether it’s worth the cost of announcing it vs. the risk of not announcing it
This is true, but as the parent mentioned you also need to understand the nature of the breach first. Giving people accurate information is as important as giving them timely information.
From what I can tell, you can get all the info mentioned just by putting an email into the invite popup. So this isn't a leak in that sense. Everything works as intended.
Bad title. Attackers queried Trello with email addresses and got back names, usernames and if the addresses were valid. You can use a lot of services to do that, but usually they cost money.
> > Trello In January 2024, data was scraped from Trello and posted for sale on a popular hacking forum. Containing over 15M email addresses, names and usernames, the data was obtained by enumerating a publicly accessible resource using email addresses from previous breach corpuses. Trello advised that no unauthorised access had occurred
You are both correct. The title is bad since it says "Trello leaked 15M email addresses" but the email addresses were already leaked and were used to look up the additional details. It is still leaking (names and usernames), but Trello didn't leak 15m email addresses.
How can they confirm that the email addresses were all from previous breach corpuses without buying said corpuses? Attackers could have been probing for first name + last name combinations to confirm business email addresses, for instance. Just because the parameter was "email address" doesn't mean that those email addresses weren't automatically generated.
You misunderstand, I have a very unique French email address and I got the email. There is no way they enumerated my email address, there is no way they matched 15M randomly generated first.last@gmail.com emails: mine wasn't even that.
For info, that same email address has been receiving many many haveibeenpwned warnings, it's everywhere and I consider it basically completely public lol.
I bet they did it via the "share" button. Put in an email and Trello returns a name and username. Would be pretty trivial to have a bot slowly enter emails over time.
The email addresses weren't leaked by Trello - they were already leaked from "previous breach corpuses". So if you want the email addresses, you just need to be hanging out in the same forums and sites as the bad actors.
I assume all of my information is public, from my SSN, email, name, DOB, to all my possible security questions.
This is why I have my credit frozen with every agency, and all of my security question answers are plausible sounding, but entirely fake, answers stored in my password manager.
I'm not sure there is anything else we can do as consumers.
I feel so bad for all the people who have the same surnames as their unmarried mothers and don't think this through. I don't know how big that chunk of humanity is, but I feel for them.
A lot of times those are read by customer service reps. You'd hope if someone called up as MOARDONGZPLZ and said wazzup I'm MOARDONGZPLZ, my security questions are all gibberish, the CSR would be all "nope, need the exact answers." But instead they could be all "yeah kewl man, they are gibberish. How much $ would you like me to transfer again?
I think the "random but actually meaningful" route is better. If you want it to get checked, grandma's name comes off fake name generator, not line noise from a CSPRNG.
Sometimes a CSR for a bank or insurance company will ask questions and expect answers based on their sata about you. Which is especially fun when it's:
1) Wrong information
2) Information you don't know, like an estranged family member's birthday
I also use generated "passwords" for security question answers because most of the questions are idiotic and easy to guess for someone who is really targeting you.
They don't need to be plausible sounding, by the way, a random string of characters is fine.
Pet's name -> probably in your Instagram
Favorite color -> Hmm let's see what clothes you wear in your selfies
Street you lived on -> Hmm they probably already breached your credit report and the idiots at Experian leak all the streets you lived on without your consent
For a while I had an account that had, as a last resort for recovery, asked me random questions about the town I grew up in. Like, “which of these roads were near your house.”
Had no idea, googled them… there’s some security theater that I don’t think anybody could have been reassured by.
Also, never give out your residential address to anyone except the government, and your employer. Use a virtual mailbox for all private companies because they leak info, just like this. Private companies are not the government and have no right to know where you sleep.
Don't register to vote. It doesn't matter anyway unless you're in a swing state, and the idiots at the voting registration offices leak residential addresses.
Yeah I agree with you in principle, though I don't want to get in trouble with the people who have guns and handcuffs.
Private businesses on the other hand can f off. My credit card co can't come and handcuff me for not giving them an address to leak to 3rd party auto ads.
Well it's not a prison but it's a big group of people reaching compromises to make it safer for everyone else. Look at it this way: if nobody knows your address, not even the people guaranteeing property law, someone could enter your house, get you to fuck right off, and you'd end up naked in the street with everyone asking where's your proof you live there.
My landlord and I have a signed lease which can be produced on demand. No other party need have the information in advance, especially not those who claim the authority to enforce property rights.
Courts enforcing notional rights weeks or
months later can’t get you un-murdered in your sleep by home invaders. Did we all forget that swatting is a thing?
The place that you sleep is secret, and you should never tell it to anyone that isn’t an invited guest, especially not apps or the DMV. Every other data leak can nominally be mitigated with time, inconvenience, or expense, but violence to your person or your children cannot be un-done after the fact.
I guess if you are rich enough you could rent an additional studio that you don't actually sleep in 99% of the time but technically is one of your residences, and give that address to the DMV.
When the DMV leaks your info to all your stalkers and crooks on the internet and they come after you they won't find you there.
This is the most airtight way if you have money to burn, but most everyone I know just uses a postbox (not a PO box but a private one) like full-time RVers/vanlife people do.
Whats more amusing is that the DOJ and FinCEN think their KYC and anti money laundering regime works simply because people with sanctioned names don't have bank accounts here…. in their name
They seem to completely not notice that every individual and business would never know if another bank account existed in their name if it wasnt used in a different kind of crime or overdrawn forever.
there are plenty of people that just want access and dont do anything bad with it, aside frok the paradoxical standard of having access or impersonation to be bad
same is true of credit, although the original identity can see the extra credit line added, sometimes the phantom is a better steward of your credit than you are. Like “wow mixed lines of credit, paid on time! thanks undocumented person!”
You mis-construct law enforcement / crime prevention. First, it's never about solving all crimes committed by "bad people", the first priority is to show a big red lock everywhere sensitive so that your nice grandma doesn't go "oh well, the door is open and nobody's looking, might as well go see what's in there". Opportunity is the biggest driver of crime in humans, and it would be unmanageable not to have those sanction regimes in place, just as if nobody had door locks.
Second, they need to make it illegal FIRST, or there would be no sanction evasion crime: if they don't act all naive and say "you cannot have an account here at all", then having an account would be fine... now the criminals need to cheat and lie, which they can be charged for.
Finally: not all crime will ever be punished and there's definitely a cost calculation: do we want to take fingerprints of all clients in banks to match them to a central id card database, to end up with criminals infiltrating the fingerprinting system anyway and everyone else having to do those dumb fingerprint checks for nothing ? Better keep it simple while the criming stays manageable.
You can give unique emails to every service, not provide your real DOB, use randomized security questions, and a per-service alias name.
The only cases where this doesn’t work are banking and airlines, which are required to check your government ID. Trello isn’t, and you can give them a burner forwarding email and fake name so this kind of thing doesn’t affect you.
You’d be surprised how much business you can conduct without providing your name. (pro tip: the “name” field in the credit card form is not matched against the cardholder.)
Also, make sure your CC billing address is a post box, so you’re not giving your residential address to everyone you transact with (the address/zip is matched).
Not only the name is matched here in Hong Kong, but the address as well: so many people don't believe it, and I have to strongly insist they just write it better and poof, payment works !
I think it's a sort of option / depends on amount: some sites don't ask more than your card number and it works, some other you need to redo 5 times before they match properly. And anyway here you need to approve in the app like for a Google 2FA in Android.
No restaurant has ever asked me for an ID when making payment. Also, I think perhaps you misunderstood me: I am talking about forms on the web, as this thread is about Trello’s leak. My ID and all of my payment cards match (as I used the same ID to obtain them).
It's also, for many people, incredibly easy to find. People often keep their maiden names as a middle name, so if you can find someone's mother (relatively easy in the age of Facebook) it's not a far leap to figure it out from there. Even if they didn't keep their maiden name, finding it out is pretty simple by connecting the dots.
It made a bit more sense in the era before a majority of people started posting their private lives on the internet. These days it's a security disaster. Thankfully, the increasing popularity of non-traditional naming arrangements will probably do away with it soon.
Services like Apple’s “hide my email” are becoming more and more important. Not only does it prevent apps and websites crossing you across the web, it prevents website hacks from identifying you.
Expect websites and apps to strong arm your phone number in the future as a result.
I use Fastmail for that and without noticing, I'm to 32 "fake" addresses. Got banned by EA for buying and playing a game with an account on such an address.
"Businesses in the United States, Canada and the United Kingdom use AVS" I don't live in any of these countries. Even so it's more cost for business to use AVS, most won't. The likes of my mobile phone credit or Steam or Spotify or cloud services don't use any sort of address validation
For EA it is less about datamining and more about flagging behavior that matches that of a cheater evading a ban. Cheaters reduce the fun, and therefore value, of a game.
We also need something for phone numbers, since these also get leaked all the time and then you get weird Whatsapp calls. Reporting has no use, the numbers in Whatsapp never get blocked.
Many apps and services now demand a phone number, sometimes lying about suspicious activity or security problems to get you to cough it up. Others wait until you've been using the service to spring it on you so they have more leverage to squeeze it out of you.
Many of these services will also block signing up with throwaway email providers, of course Apple's service would require them to block to many "legit" users so it remains a good choice. The ones taking your phone number usually block land lines and voip providers, some even block prepaid mobile plans!
Meanwhile they lose your PI and shrug their shoulders or blame the users, but if you try to protect yourself from their garbage security the decide you must be a bad actor for practicing compartmentalization to limit the blast radius of their inevitable screw ups. It isn't like there is punishment for them screwing up so there's no reason for them to not take everything they can get.
After getting phished on my RuneScape account, I’ve learned to NEVER reuse passwords, and enable 2FA wherever possible so when a data leak like this happens, the risk is mitigated to just that website, if at all. All passwords are randomly generated strings.
The "share" button for a board does. Share a Trello board and enter an email. It returns a full name and a username in the response and sometimes the UI.
I don't want to diminish security leaks in general, but if your email address is first.last@employer.com where's the breach? Given, this I think Saas services should make a move back towards usernames.
Thanks for services like Firefox Relay that create masked email addresses. I remember being not able to make my email address not discoverable on my Trello account, at the time I complain to support because random people added me to their kanban boards, now I find other issue with that feature.
What if service is closing or you want to move to another ? Genuine question. I see the short term advantage of all those services offering hidden emails but to me i've got more to lose with it if the service is interrupted for whatever reason than having to filter some spam in a mailbox I got full control on.
Ah, The Atlassian Effect kicks in. Turning perfectly good products into steaming bags of horribleness.
Sorry, a little snarky. But I predicted Trello would suffer from joining Atlassian, and though this is not how I predicted that would happen (I predicted lots of utterly useless new features clogging up the UI until it's unusable), it is an indicator of The Atlassian Effect in action.
This email leak is probably step one. Someone is going to correlate passwords from other breaches to figure out who reused passwords and then use that to breach accounts. Hopefully Trello is protecting against this with something like an integration with HIBP for logins to force password changes or with MFA.
Some months ago my company got certified with the ISO 27001 thing about information security management. It was a horrible process to be part of and in charge for for the IT side and the consultants and auditors where the types of people that take themselves too seriously, haven't worked in a real environment in 20 years and come and suggest things just because it's in the standard, but with no context as to how companies operate. Anyhow, apparently this certification is somehow important for a lot corporate clients, I always said that's it's mostly security theatre. Now I see that both Atlassian and Trello are ISO 27001 certified and they leak the data like this... How do they even get away with this in an audit, maybe because it's just a worthless certification.
I think it’s fundamentally just ass covering. Executives want some kind of certification to be able to say they did due diligence. The quality of the certification doesn’t really matter as long as it’s standard enough
Nice. About time too. Trello was languishing for far too long. I thought it would have been breached far too early. That's why always create a proxy email and a separate password for each service.
137 comments
[ 3.8 ms ] story [ 242 ms ] threadMany things don't matter at a small scale, but they do at 15M-scale.
Trello users are about to get bombarded by phishing attempts and spam.
All of the emails present in this "leak" were taken from other dumps. That's how it's made, they took a list of known emails and tried to link them to a trello account.[1]
> What's the endpoint?
I think https://developer.atlassian.com/cloud/trello/rest/api-group-.... The endpoint allows you to get all public info (bio and username) from a trello account by its email.[2]
> Why did it provide personal information?
So users can invite other users to their boards via their email address.
> Why wasn't it throttled?
It should've been.
[1]: https://haveibeenpwned.com/PwnedWebsites#Trello
[2]: https://www.bleepingcomputer.com/news/security/trello-api-ab...
I can literally go to the tax assessor's website and search an address and find out exactly who owns that property.
But if a data leak finally gives me meaningful ads - that'd be nice.
If you’re having ad quality issues, it could be that they don’t have good advertisers matching your profile.
If you use a unique email for everything, attackers need to determine email+password+whatever, instead of just password+whatever, where "whatever" is security questions or compromising 2FA.
A credential stuffing attack found 15M email addresses that attackers already knew had Trello accounts.
> Trello In January 2024, data was scraped from Trello and posted for sale on a popular hacking forum. Containing over 15M email addresses, names and usernames, the data was obtained by enumerating a publicly accessible resource using email addresses from previous breach corpuses. Trello advised that no unauthorised access had occurred
> enumerating a publicly accessible resource
> Trello advised that no unauthorised access had occurred
That sounds like a credential stuffing attack to me!
Most likely the attackers used the password reset form, and that Trello acknowledge the existence of emails. This used to be considered bad practice, but it's more nuanced than that, provides basically no useful information, and is now considered to be a relatively safe practice.
Alternatively it's possible they used some sort of sharing functionality to try to share Trello content with other addresses, and again the availability of that for usage would be by-design.
> This used to be considered bad practice, but it's more nuanced than that, provides basically no useful information, and is now considered to be a relatively safe practice.
Against this:
> 15M email addresses
While you're saying that Trello leaked nothing, it strikes me as odd that an attacker could successfully interrogate a public resource enough times to confirm the existence of 15 million addresses without triggering some kinds of checks/balances to prevent such enumeration.
I understand this is meaningfully different than other kinds of leaks (i.e. an actual compromise), but it still indicates an issue on the Trello side.
I'd agree that 15 million requests should trigger something, but it depends on how long this happened over. Fundamentally, rate limiting access to a public resource is not a security mechanism against disclosure from that source, rate limiting is only a viable countermeasure against denial of service style attacks. So while there may be some improvements Trello could make here, I don't think they'd materially change this.
Which is surely far below the CTR one would expect for people actually using the share feature on Trello.
Even in 2017 it seemed to me Atlassian only bought it so anyone else couldn't have it and they would like it to die in the future but for the time being they could use it as future customer acquisition entry for their main products ( Jira and Confluence )
Their disinterest in Trello in recent years might just be what has saved it for so long. Once their crack teams of product development people arrives it will be game-over.
Probably also some internal debate whether this should be considered a breach or not and whether it’s worth the cost of announcing it vs. the risk of not announcing it
So they may not feel they need to say anything.
Whatever.
https://www.troyhunt.com/tag/have-i-been-pwned-3f/
> > Trello In January 2024, data was scraped from Trello and posted for sale on a popular hacking forum. Containing over 15M email addresses, names and usernames, the data was obtained by enumerating a publicly accessible resource using email addresses from previous breach corpuses. Trello advised that no unauthorised access had occurred
For info, that same email address has been receiving many many haveibeenpwned warnings, it's everywhere and I consider it basically completely public lol.
This is why I have my credit frozen with every agency, and all of my security question answers are plausible sounding, but entirely fake, answers stored in my password manager.
I'm not sure there is anything else we can do as consumers.
Much better to use a 'plausible' answer like "Fielder" or "Pitt" or any random real last name.
Sounds plausible enough, but clearly a fake.
People asking them do need an explanation though, but no chance someone could guess one because it was plausible but wrong.
I think the "random but actually meaningful" route is better. If you want it to get checked, grandma's name comes off fake name generator, not line noise from a CSPRNG.
A CSR is much more likely to expect correct or similar words than a correct or similar string of gibberish.
Correct Horse Battery Staple
WHat's your mothers maiden name?
Correct Horse Battery Staple
What's your favourite movie?
Correct Horse Battery Staple
1) Wrong information
2) Information you don't know, like an estranged family member's birthday
They don't need to be plausible sounding, by the way, a random string of characters is fine.
Pet's name -> probably in your Instagram
Favorite color -> Hmm let's see what clothes you wear in your selfies
Street you lived on -> Hmm they probably already breached your credit report and the idiots at Experian leak all the streets you lived on without your consent
Had no idea, googled them… there’s some security theater that I don’t think anybody could have been reassured by.
> Select your favorite city:
> 1) Paris
> 2) New York
> 3) Banana
> 4) Beijing
Don't register to vote. It doesn't matter anyway unless you're in a swing state, and the idiots at the voting registration offices leak residential addresses.
This isn’t a prison, my location isn’t anyone’s business but my own.
Private businesses on the other hand can f off. My credit card co can't come and handcuff me for not giving them an address to leak to 3rd party auto ads.
Simplification sure, but you started.
Courts enforcing notional rights weeks or months later can’t get you un-murdered in your sleep by home invaders. Did we all forget that swatting is a thing?
The place that you sleep is secret, and you should never tell it to anyone that isn’t an invited guest, especially not apps or the DMV. Every other data leak can nominally be mitigated with time, inconvenience, or expense, but violence to your person or your children cannot be un-done after the fact.
https://www.nbcnews.com/news/amp/ncna1274747
When the DMV leaks your info to all your stalkers and crooks on the internet and they come after you they won't find you there.
Ron Swanson is parody; I am being sincere.
They seem to completely not notice that every individual and business would never know if another bank account existed in their name if it wasnt used in a different kind of crime or overdrawn forever.
there are plenty of people that just want access and dont do anything bad with it, aside frok the paradoxical standard of having access or impersonation to be bad
same is true of credit, although the original identity can see the extra credit line added, sometimes the phantom is a better steward of your credit than you are. Like “wow mixed lines of credit, paid on time! thanks undocumented person!”
Second, they need to make it illegal FIRST, or there would be no sanction evasion crime: if they don't act all naive and say "you cannot have an account here at all", then having an account would be fine... now the criminals need to cheat and lie, which they can be charged for.
Finally: not all crime will ever be punished and there's definitely a cost calculation: do we want to take fingerprints of all clients in banks to match them to a central id card database, to end up with criminals infiltrating the fingerprinting system anyway and everyone else having to do those dumb fingerprint checks for nothing ? Better keep it simple while the criming stays manageable.
The only cases where this doesn’t work are banking and airlines, which are required to check your government ID. Trello isn’t, and you can give them a burner forwarding email and fake name so this kind of thing doesn’t affect you.
You’d be surprised how much business you can conduct without providing your name. (pro tip: the “name” field in the credit card form is not matched against the cardholder.)
Also, make sure your CC billing address is a post box, so you’re not giving your residential address to everyone you transact with (the address/zip is matched).
I think it's a sort of option / depends on amount: some sites don't ask more than your card number and it works, some other you need to redo 5 times before they match properly. And anyway here you need to approve in the app like for a Google 2FA in Android.
Also, I have been asked to show ID with a card when making payment at plenty of retail establishments, just not necessarily restaurants.
Why do I have to tell a stranger over the phone my mother’s maiden name to confirm I own the account? That’s not my info to share, it’s my mother’s.
It's also, for many people, incredibly easy to find. People often keep their maiden names as a middle name, so if you can find someone's mother (relatively easy in the age of Facebook) it's not a far leap to figure it out from there. Even if they didn't keep their maiden name, finding it out is pretty simple by connecting the dots.
It made a bit more sense in the era before a majority of people started posting their private lives on the internet. These days it's a security disaster. Thankfully, the increasing popularity of non-traditional naming arrangements will probably do away with it soon.
Expect websites and apps to strong arm your phone number in the future as a result.
Why would you spread falsehoods like that?
https://stripe.com/resources/more/what-is-address-verificati...
Many of these services will also block signing up with throwaway email providers, of course Apple's service would require them to block to many "legit" users so it remains a good choice. The ones taking your phone number usually block land lines and voip providers, some even block prepaid mobile plans!
Meanwhile they lose your PI and shrug their shoulders or blame the users, but if you try to protect yourself from their garbage security the decide you must be a bad actor for practicing compartmentalization to limit the blast radius of their inevitable screw ups. It isn't like there is punishment for them screwing up so there's no reason for them to not take everything they can get.
https://haveibeenpwned.com/PwnedWebsites#Trello
Sorry, a little snarky. But I predicted Trello would suffer from joining Atlassian, and though this is not how I predicted that would happen (I predicted lots of utterly useless new features clogging up the UI until it's unusable), it is an indicator of The Atlassian Effect in action.