137 comments

[ 3.8 ms ] story [ 242 ms ] thread
are emails private info?
It may depend on definitions. Where I work, we classify users' emails as "personal" information, and we would consider it a breach if all the emails were leaked.
Well as the page states, these were scraped from a public endpoint. So not really
What's the endpoint? Why did it provide personal information? Why wasn't it throttled?

Many things don't matter at a small scale, but they do at 15M-scale.

Trello users are about to get bombarded by phishing attempts and spam.

Checkmate hackers. I already am bombarded by phishing attempts and spam.
> Trello users are about to get bombarded by phishing attempts and spam.

All of the emails present in this "leak" were taken from other dumps. That's how it's made, they took a list of known emails and tried to link them to a trello account.[1]

> What's the endpoint?

I think https://developer.atlassian.com/cloud/trello/rest/api-group-.... The endpoint allows you to get all public info (bio and username) from a trello account by its email.[2]

> Why did it provide personal information?

So users can invite other users to their boards via their email address.

> Why wasn't it throttled?

It should've been.

[1]: https://haveibeenpwned.com/PwnedWebsites#Trello

[2]: https://www.bleepingcomputer.com/news/security/trello-api-ab...

In many cases: yes. That you need to tell others your email address to be able to use it doesn't mean it can't be used to identify you, especially if your email address is hasty.pudding@gmail.com everybody will know exactly what your proper name is.
yeah but isnt a person's name as public as their email?

I can literally go to the tax assessor's website and search an address and find out exactly who owns that property.

These emails can be used for targeted advertising: this email works in tech or startups, let’s show ads to them!
Given that it most certainly doesn't work with current big-name advertising companies, I'm skeptical it's gonna work with some random data leak.

But if a data leak finally gives me meaningful ads - that'd be nice.

What do you mean? Big tech advertising unfortunately works too well for me. A friend heavily uses the look alike feature on fb to target similar people that purchased his product. Fever ticketing also uses this too.

If you’re having ad quality issues, it could be that they don’t have good advertisers matching your profile.

if you work in tech and you don’t know a way to block all online ads what the hell are you doing
They're a part of the composite "keys" tied to managing your personal identity. If you use one email for everything, having that email exposed means that a portion of that key has been compromised, and you may be targeted by attackers that previously did not know of your existence.

If you use a unique email for everything, attackers need to determine email+password+whatever, instead of just password+whatever, where "whatever" is security questions or compromising 2FA.

(comment deleted)
(comment deleted)
Trello did not lead anything here.

A credential stuffing attack found 15M email addresses that attackers already knew had Trello accounts.

Umm… wrong?

> Trello In January 2024, data was scraped from Trello and posted for sale on a popular hacking forum. Containing over 15M email addresses, names and usernames, the data was obtained by enumerating a publicly accessible resource using email addresses from previous breach corpuses. Trello advised that no unauthorised access had occurred

(comment deleted)
Which "publicly accessible resource using email addresses from previous breach corpuses" are they referring to? Am I being paranoid that HIBP itself is a potential vector for this enumeration type data exfiltration?
Yeah, paranoid. The data in hibp are all public elsewhere on the dark web
> using email addresses from previous breach corpuses

> enumerating a publicly accessible resource

> Trello advised that no unauthorised access had occurred

That sounds like a credential stuffing attack to me!

Most likely the attackers used the password reset form, and that Trello acknowledge the existence of emails. This used to be considered bad practice, but it's more nuanced than that, provides basically no useful information, and is now considered to be a relatively safe practice.

Alternatively it's possible they used some sort of sharing functionality to try to share Trello content with other addresses, and again the availability of that for usage would be by-design.

I'm struggling to reconcile this:

> This used to be considered bad practice, but it's more nuanced than that, provides basically no useful information, and is now considered to be a relatively safe practice.

Against this:

> 15M email addresses

While you're saying that Trello leaked nothing, it strikes me as odd that an attacker could successfully interrogate a public resource enough times to confirm the existence of 15 million addresses without triggering some kinds of checks/balances to prevent such enumeration.

I understand this is meaningfully different than other kinds of leaks (i.e. an actual compromise), but it still indicates an issue on the Trello side.

FWIW, I'm trusting the public statement from Trello here. They could be wrong, but given that the data doesn't appear to contain anything new (like Trello passwords), it seems plausible.

I'd agree that 15 million requests should trigger something, but it depends on how long this happened over. Fundamentally, rate limiting access to a public resource is not a security mechanism against disclosure from that source, rate limiting is only a viable countermeasure against denial of service style attacks. So while there may be some improvements Trello could make here, I don't think they'd materially change this.

Perhaps they could notice 15m requests with a CTR of 0.0000000%

Which is surely far below the CTR one would expect for people actually using the share feature on Trello.

Yes they did. Trello leaked usernames, full names, “other account details” in exchange for an email address input. Credential stuffing requires knowledge of the password.
Credential stuffing can use the password, but in general it's just using some credentials you already have (maybe just an email) against a different service to see what you get out.
Can you just admit you’re wrong here? If I go to a service with 1 piece of information (an email) and I walk away with more PII than I provided, that’s a leak.
Trello reveals these via their "share" functionality. Put in an email and you get a name and username. This isn't a leak. It is designed that way.
(comment deleted)
So let me try to "share" something with on a banking app, see if that returns your balance. And then I'll tell you it's designed that way after I publish it along with 15M other people's balance. Not a leak guys !
(comment deleted)
It's not Trello, it's Atlassian who did not learn and doesn't seem to care that much.

Even in 2017 it seemed to me Atlassian only bought it so anyone else couldn't have it and they would like it to die in the future but for the time being they could use it as future customer acquisition entry for their main products ( Jira and Confluence )

Their disinterest in Trello in recent years might just be what has saved it for so long. Once their crack teams of product development people arrives it will be game-over.

Why did I hear about this from haveibeenpwned rather than from Trello? I received an email from pwned but nothing from Trello.
Probably legal reasons. Usually doesn’t make business sense to declare and publicly announce a breach until you do some internal investigating to understand the scope/impact (not defending them, it’s just reality.. also their cyber insurance company would get pissed if they did anything without their approval during a possible breach, things take time)

Probably also some internal debate whether this should be considered a breach or not and whether it’s worth the cost of announcing it vs. the risk of not announcing it

There are legal (GDPR, Art. 34) requirements to publish a breach if it hits EU citizens and the bar for publication is met.
This is true, but as the parent mentioned you also need to understand the nature of the breach first. Giving people accurate information is as important as giving them timely information.
FTA: "Trello advised that no unauthorised access had occurred."

So they may not feel they need to say anything.

From what I can tell, you can get all the info mentioned just by putting an email into the invite popup. So this isn't a leak in that sense. Everything works as intended.
I think it's important to be clear that this isn't some small startup. Trello is Atlassian
I just found out that I have different passwords for Trello and for Atlassian.

Whatever.

Because it wasn’t a breach, the title is misleading. It was just credential stuffing.
Bad title. Attackers queried Trello with email addresses and got back names, usernames and if the addresses were valid. You can use a lot of services to do that, but usually they cost money.

> > Trello In January 2024, data was scraped from Trello and posted for sale on a popular hacking forum. Containing over 15M email addresses, names and usernames, the data was obtained by enumerating a publicly accessible resource using email addresses from previous breach corpuses. Trello advised that no unauthorised access had occurred

That’s still leaking.
You are both correct. The title is bad since it says "Trello leaked 15M email addresses" but the email addresses were already leaked and were used to look up the additional details. It is still leaking (names and usernames), but Trello didn't leak 15m email addresses.
How can they confirm that the email addresses were all from previous breach corpuses without buying said corpuses? Attackers could have been probing for first name + last name combinations to confirm business email addresses, for instance. Just because the parameter was "email address" doesn't mean that those email addresses weren't automatically generated.
You misunderstand, I have a very unique French email address and I got the email. There is no way they enumerated my email address, there is no way they matched 15M randomly generated first.last@gmail.com emails: mine wasn't even that.

For info, that same email address has been receiving many many haveibeenpwned warnings, it's everywhere and I consider it basically completely public lol.

Than be bold and post it here! /s
No doubt they used breach corpuses, but the question is how Trello knows that that was all that the attackers submitted to the endpoint.
I bet they did it via the "share" button. Put in an email and Trello returns a name and username. Would be pretty trivial to have a bot slowly enter emails over time.
If these email addresses get leaked to criminals, then the rest of us should have them too. Come on, Trello - hook an entrepreneur up!
The email addresses weren't leaked by Trello - they were already leaked from "previous breach corpuses". So if you want the email addresses, you just need to be hanging out in the same forums and sites as the bad actors.
This is why I use burner e-mails for many of these services
Guess I'm right to have never used their services.
You probably should stop using any service on the internet to be on the safe side...
I assume all of my information is public, from my SSN, email, name, DOB, to all my possible security questions.

This is why I have my credit frozen with every agency, and all of my security question answers are plausible sounding, but entirely fake, answers stored in my password manager.

I'm not sure there is anything else we can do as consumers.

My mother has at least 20 maiden names.
htiusdhtehdhstansuhetauhtaneouh? Is that Finnish?
These answers suffer from a company support representative accepting "a long string of letters" as an answer, which they often do.

Much better to use a 'plausible' answer like "Fielder" or "Pitt" or any random real last name.

Hyphenate it for more entropy - eg: Fielder-Pitt.
You can make it mildly more complex by hyphenating. For example “Moss Coane”.

Sounds plausible enough, but clearly a fake.

(comment deleted)
I feel so bad for all the people who have the same surnames as their unmarried mothers and don't think this through. I don't know how big that chunk of humanity is, but I feel for them.
My security question answers are also stored in my 1Pass but are not plausible or even reasonable. They’re memorable passwords.

People asking them do need an explanation though, but no chance someone could guess one because it was plausible but wrong.

A lot of times those are read by customer service reps. You'd hope if someone called up as MOARDONGZPLZ and said wazzup I'm MOARDONGZPLZ, my security questions are all gibberish, the CSR would be all "nope, need the exact answers." But instead they could be all "yeah kewl man, they are gibberish. How much $ would you like me to transfer again?
Maybe prefix the answer with "precise match only," in all caps?
Doubt it'd actually work - remember, humans.

I think the "random but actually meaningful" route is better. If you want it to get checked, grandma's name comes off fake name generator, not line noise from a CSPRNG.

You can't "outsmart" someone whose salary is predicated on doing the most frictionless version of the work possible and still get paid.
I just generate a short set of random words.

A CSR is much more likely to expect correct or similar words than a correct or similar string of gibberish.

What street did you grow up on?

Correct Horse Battery Staple

WHat's your mothers maiden name?

Correct Horse Battery Staple

What's your favourite movie?

Correct Horse Battery Staple

Sometimes a CSR for a bank or insurance company will ask questions and expect answers based on their sata about you. Which is especially fun when it's:

1) Wrong information

2) Information you don't know, like an estranged family member's birthday

I also use generated "passwords" for security question answers because most of the questions are idiotic and easy to guess for someone who is really targeting you.

They don't need to be plausible sounding, by the way, a random string of characters is fine.

Pet's name -> probably in your Instagram

Favorite color -> Hmm let's see what clothes you wear in your selfies

Street you lived on -> Hmm they probably already breached your credit report and the idiots at Experian leak all the streets you lived on without your consent

For a while I had an account that had, as a last resort for recovery, asked me random questions about the town I grew up in. Like, “which of these roads were near your house.”

Had no idea, googled them… there’s some security theater that I don’t think anybody could have been reassured by.

I've seen a few cases where the security questions are part of a list. Something like:

> Select your favorite city:

> 1) Paris

> 2) New York

> 3) Banana

> 4) Beijing

My security questions are random-character passwords.
Also, never give out your residential address to anyone except the government, and your employer. Use a virtual mailbox for all private companies because they leak info, just like this. Private companies are not the government and have no right to know where you sleep.

Don't register to vote. It doesn't matter anyway unless you're in a swing state, and the idiots at the voting registration offices leak residential addresses.

When I said "I assume all my information is public", that included my address.
I’d go one step further and say that the government also has no right to know where you sleep.

This isn’t a prison, my location isn’t anyone’s business but my own.

Yeah I agree with you in principle, though I don't want to get in trouble with the people who have guns and handcuffs.

Private businesses on the other hand can f off. My credit card co can't come and handcuff me for not giving them an address to leak to 3rd party auto ads.

Well it's not a prison but it's a big group of people reaching compromises to make it safer for everyone else. Look at it this way: if nobody knows your address, not even the people guaranteeing property law, someone could enter your house, get you to fuck right off, and you'd end up naked in the street with everyone asking where's your proof you live there.

Simplification sure, but you started.

My landlord and I have a signed lease which can be produced on demand. No other party need have the information in advance, especially not those who claim the authority to enforce property rights.

Courts enforcing notional rights weeks or months later can’t get you un-murdered in your sleep by home invaders. Did we all forget that swatting is a thing?

The place that you sleep is secret, and you should never tell it to anyone that isn’t an invited guest, especially not apps or the DMV. Every other data leak can nominally be mitigated with time, inconvenience, or expense, but violence to your person or your children cannot be un-done after the fact.

https://www.nbcnews.com/news/amp/ncna1274747

How does one keep your address secret from the DMV?
I guess if you are rich enough you could rent an additional studio that you don't actually sleep in 99% of the time but technically is one of your residences, and give that address to the DMV.

When the DMV leaks your info to all your stalkers and crooks on the internet and they come after you they won't find you there.

This is the most airtight way if you have money to burn, but most everyone I know just uses a postbox (not a PO box but a private one) like full-time RVers/vanlife people do.
(comment deleted)
I read your reply in Ron Swanson's voice. Not that I disagree with you.
Then why post a comment mocking me?

Ron Swanson is parody; I am being sincere.

Going to make a service for quick filling forms that takes advantage of this :)
Whats more amusing is that the DOJ and FinCEN think their KYC and anti money laundering regime works simply because people with sanctioned names don't have bank accounts here…. in their name

They seem to completely not notice that every individual and business would never know if another bank account existed in their name if it wasnt used in a different kind of crime or overdrawn forever.

there are plenty of people that just want access and dont do anything bad with it, aside frok the paradoxical standard of having access or impersonation to be bad

same is true of credit, although the original identity can see the extra credit line added, sometimes the phantom is a better steward of your credit than you are. Like “wow mixed lines of credit, paid on time! thanks undocumented person!”

You mis-construct law enforcement / crime prevention. First, it's never about solving all crimes committed by "bad people", the first priority is to show a big red lock everywhere sensitive so that your nice grandma doesn't go "oh well, the door is open and nobody's looking, might as well go see what's in there". Opportunity is the biggest driver of crime in humans, and it would be unmanageable not to have those sanction regimes in place, just as if nobody had door locks.

Second, they need to make it illegal FIRST, or there would be no sanction evasion crime: if they don't act all naive and say "you cannot have an account here at all", then having an account would be fine... now the criminals need to cheat and lie, which they can be charged for.

Finally: not all crime will ever be punished and there's definitely a cost calculation: do we want to take fingerprints of all clients in banks to match them to a central id card database, to end up with criminals infiltrating the fingerprinting system anyway and everyone else having to do those dumb fingerprint checks for nothing ? Better keep it simple while the criming stays manageable.

You can give unique emails to every service, not provide your real DOB, use randomized security questions, and a per-service alias name.

The only cases where this doesn’t work are banking and airlines, which are required to check your government ID. Trello isn’t, and you can give them a burner forwarding email and fake name so this kind of thing doesn’t affect you.

You’d be surprised how much business you can conduct without providing your name. (pro tip: the “name” field in the credit card form is not matched against the cardholder.)

Also, make sure your CC billing address is a post box, so you’re not giving your residential address to everyone you transact with (the address/zip is matched).

Not only the name is matched here in Hong Kong, but the address as well: so many people don't believe it, and I have to strongly insist they just write it better and poof, payment works !

I think it's a sort of option / depends on amount: some sites don't ask more than your card number and it works, some other you need to redo 5 times before they match properly. And anyway here you need to approve in the app like for a Google 2FA in Android.

Try getting the CC you left at a restaurant back from then with an ID that doesn’t match the name.
No restaurant has ever asked me for an ID when making payment. Also, I think perhaps you misunderstood me: I am talking about forms on the web, as this thread is about Trello’s leak. My ID and all of my payment cards match (as I used the same ID to obtain them).
I didn't say when making a payment, I said if you forgot your card there.

Also, I have been asked to show ID with a card when making payment at plenty of retail establishments, just not necessarily restaurants.

Security questions often require you to share other bits of PII and they aren’t hashed or encrypted either.

Why do I have to tell a stranger over the phone my mother’s maiden name to confirm I own the account? That’s not my info to share, it’s my mother’s.

> That’s not my info to share, it’s my mother’s.

It's also, for many people, incredibly easy to find. People often keep their maiden names as a middle name, so if you can find someone's mother (relatively easy in the age of Facebook) it's not a far leap to figure it out from there. Even if they didn't keep their maiden name, finding it out is pretty simple by connecting the dots.

It made a bit more sense in the era before a majority of people started posting their private lives on the internet. These days it's a security disaster. Thankfully, the increasing popularity of non-traditional naming arrangements will probably do away with it soon.

(comment deleted)
As consumers, we're powerless. As citizens, we should be demanding our governments apply meaningful penalties when companies leak our data.
Services like Apple’s “hide my email” are becoming more and more important. Not only does it prevent apps and websites crossing you across the web, it prevents website hacks from identifying you.

Expect websites and apps to strong arm your phone number in the future as a result.

I use Fastmail for that and without noticing, I'm to 32 "fake" addresses. Got banned by EA for buying and playing a game with an account on such an address.
Hah, that's dystopian. Taking precautions and being punished for it.
One man’s precautions are another man’s dataminig opportunity loss …
If your concern is datamining, then you should be far more concerned about the billing info (which can't be faked) than the email.
with the state of most data mining programs out there, moving addresses will destroy any ability to link you.
Right but changing your billing address/credit card number is still way much harder than creating a new gmail/outlook account.
FYI you can often set the billing address info to whatever you want for a lot of purchases, there's no mechanism to validate it.
>there's no mechanism to validate it.

Why would you spread falsehoods like that?

https://stripe.com/resources/more/what-is-address-verificati...

"Businesses in the United States, Canada and the United Kingdom use AVS" I don't live in any of these countries. Even so it's more cost for business to use AVS, most won't. The likes of my mobile phone credit or Steam or Spotify or cloud services don't use any sort of address validation
For EA it is less about datamining and more about flagging behavior that matches that of a cheater evading a ban. Cheaters reduce the fun, and therefore value, of a game.
I only own one game and it's offline, so there's that
I used masked emails for almost everything and thankfully haven’t run into any issues like this
You got banned while using a Fastmail address? That's hard.
Also highly recommend Relay by Mozilla. Coupled with their password manager, everything is so smooth
We also need something for phone numbers, since these also get leaked all the time and then you get weird Whatsapp calls. Reporting has no use, the numbers in Whatsapp never get blocked.
Many apps and services now demand a phone number, sometimes lying about suspicious activity or security problems to get you to cough it up. Others wait until you've been using the service to spring it on you so they have more leverage to squeeze it out of you.

Many of these services will also block signing up with throwaway email providers, of course Apple's service would require them to block to many "legit" users so it remains a good choice. The ones taking your phone number usually block land lines and voip providers, some even block prepaid mobile plans!

Meanwhile they lose your PI and shrug their shoulders or blame the users, but if you try to protect yourself from their garbage security the decide you must be a bad actor for practicing compartmentalization to limit the blast radius of their inevitable screw ups. It isn't like there is punishment for them screwing up so there's no reason for them to not take everything they can get.

After getting phished on my RuneScape account, I’ve learned to NEVER reuse passwords, and enable 2FA wherever possible so when a data leak like this happens, the risk is mitigated to just that website, if at all. All passwords are randomly generated strings.
How are attackers getting username and real names from this? Surely the password reset page doesn't reveal that information?
The "share" button for a board does. Share a Trello board and enter an email. It returns a full name and a username in the response and sometimes the UI.
I don't want to diminish security leaks in general, but if your email address is first.last@employer.com where's the breach? Given, this I think Saas services should make a move back towards usernames.
Thanks for services like Firefox Relay that create masked email addresses. I remember being not able to make my email address not discoverable on my Trello account, at the time I complain to support because random people added me to their kanban boards, now I find other issue with that feature.
What if service is closing or you want to move to another ? Genuine question. I see the short term advantage of all those services offering hidden emails but to me i've got more to lose with it if the service is interrupted for whatever reason than having to filter some spam in a mailbox I got full control on.
Those burner emails always forward the messages to your main email.
Ah, The Atlassian Effect kicks in. Turning perfectly good products into steaming bags of horribleness.

Sorry, a little snarky. But I predicted Trello would suffer from joining Atlassian, and though this is not how I predicted that would happen (I predicted lots of utterly useless new features clogging up the UI until it's unusable), it is an indicator of The Atlassian Effect in action.

This email leak is probably step one. Someone is going to correlate passwords from other breaches to figure out who reused passwords and then use that to breach accounts. Hopefully Trello is protecting against this with something like an integration with HIBP for logins to force password changes or with MFA.
Some months ago my company got certified with the ISO 27001 thing about information security management. It was a horrible process to be part of and in charge for for the IT side and the consultants and auditors where the types of people that take themselves too seriously, haven't worked in a real environment in 20 years and come and suggest things just because it's in the standard, but with no context as to how companies operate. Anyhow, apparently this certification is somehow important for a lot corporate clients, I always said that's it's mostly security theatre. Now I see that both Atlassian and Trello are ISO 27001 certified and they leak the data like this... How do they even get away with this in an audit, maybe because it's just a worthless certification.
I think it’s fundamentally just ass covering. Executives want some kind of certification to be able to say they did due diligence. The quality of the certification doesn’t really matter as long as it’s standard enough
not a breach or an alleged breach - this was simply testing to mass amounts of email addresses to see if they were valid users.
Nice. About time too. Trello was languishing for far too long. I thought it would have been breached far too early. That's why always create a proxy email and a separate password for each service.