What do you think about Mashable? Take a quick survey to let us know!
Home > Tech

Trello leak: Over 15 million email addresses exposed. How did this happen?

A hacker explains how they stole sensitive data from Trello.
By Matt Binder  on 
Share on Facebook Share on Twitter Share on Flipboard
Trello app on smartphone
A hacker has publicly released sensitive data for more than 15 million Trello user accounts. Credit: Savusia Konstantin / iStock Editorial / Getty Images

Trello is a popular project management tool that's well-known for its kanban-style list format. 

On Tuesday, the private data connected to 15,115,516 Trello user profiles was shared on a popular forum for hackers, as first noticed by the cybersecurity news website Bleeping Computer. It appears that a single hacker discovered a flaw in Trello's system and was able to extract sensitive private user data.

While much of the data connected to a Trello account is public information, not all of it is. By far, the most concerning part of the breach for Trello users is the email address data. 

Over 15 million Trello users now have their private email addresses associated with their Trello profiles exposed to the public.

Mashable Games

How did this happen?

The Trello data breach and subsequent leak can be traced back to earlier this year. Bleeping Computer first noticed in January that the hacker, with the moniker "emo," was selling the Trello data on the hacking forum before providing greater access to it this week. 

Mashable Light Speed
Want more out-of-this world tech, space and science stories?
Sign up for Mashable's weekly Light Speed newsletter.
By signing up you agree to our Terms of Use and Privacy Policy.
Thanks for signing up!

Both Trello's parent company, Atlassian, and "emo" (the hacker), have since shared more information about how this leak came to be.

According to a forum post by the hacker, they discovered that "Trello had an open API endpoint that allows any unauthenticated user to map an email address to a trello account." In a correspondence with Bleeping Computer, the hacker further explained that once they discovered the flaw, they put together a list of hundreds of millions of email addresses and cross checked them with the Trello accounts in the API. From there, "emo" was able to link those email addresses with Trello accounts and create a user profile for more than 15 million accounts. 

Atlassian confirmed the issue with Bleeping Computer in a statement, saying that the Trello REST API was intended to allow Trello users to invite guests to public boards through email. The company has updated the Trello API to preserve this feature while preventing its misuse by bad actors.

"Given the misuse of the API uncovered in this January 2024 investigation, we made a change to it so that unauthenticated users/services cannot request another user's public information by email," Atlassian said in its statement. "Authenticated users can still request information that is publicly available on another user's profile using this API. This change strikes a balance between preventing misuse of the API while keeping the ‘invite to a public board by email’ feature working for our users. We will continue to monitor the use of the API and take any necessary actions."

Fixing the issue is certainly a step in the right direction. Unfortunately, the leaked data that was obtained through this method is still out there. And if one wonders exactly what can be done with this data, "emo" the hacker shared exactly why the Trello leak is useful to bad actors in their forum post.

"This database is very useful for doxing," wrote emo, who explained one can simply match the email address to a full name or alias attached to a Trello account using the stolen data.

Trello users should be aware that this sensitive data is out there.

Topics Cybersecurity

Recommended For You
This is likely the biggest password leak ever: nearly 10 billion credentials exposed
By Matt Binder
Login screen
New iPad mini reportedly coming soon. A new leak exposes what's inside.
By Kimberly Gedeon
Child playing a racing game on iPad mini 5
ADT data breach leaks customers’ location and email addresses — here’s what happened
By Alex Perry
ADT sign in yard
The pink Google Pixel 9 resurfaces in another video leak — but the screen is turned on this time
By Alex Perry
Google Pixel 9
Crack the code to email marketing mastery with lifetime tracking for $45
By Sponsored by StackCommerce
Email Tracker
Trending on Mashable
Wordle today: Here's the answer hints for September 1
By Mashable Team
a phone displaying Wordle
Netflix's 'Kaos': A basic guide to the Greek myths and figures in the series
By Shannon Connellan
Sam Buttery, Suzy Eddie Izzard, and Ché as The Fates in "Kaos."
NYT Connections today: See hints and answers for September 1
By Mashable Team
A phone displaying the New York Times game 'Connections.'
Billie Piper's character spoils the big twist of 'Kaos' in the first 5 minutes
By Shannon Connellan
Billie Piper as Cassandra in "Kaos"
NYT Connections today: See hints and answers for August 31
By Mashable Team
A phone displaying the New York Times game 'Connections.'
The biggest stories of the day delivered to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up. See you at your inbox!